Why is PowerDNS required on every server in the DNS cluster to enable DNSSEC?

Operating System & Version
CloudLinux 7
cPanel & WHM Version
92

DennisMidjord

Well-Known Member
Sep 27, 2016
262
34
28
Denmark
cPanel Access Level
Root Administrator
In WHM > Service Configuration > Nameserver Selection, the following is displayed as a note to the 'Disabled' option: "This option will disable the nameserver. If you are serving dns as part of a cluster you may not need to run one locally."
We've configured 3 DNS servers in our cluster. I thought we could disable the DNS server on each of the shared servers - but that disables the option to use the DNSSEC interface from cPanel. What's the reason for this?
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
3,236
401
243
cPanel Access Level
Root Administrator
Hey there! This is happening because DNSSEC requires PowerDNS, according to our docs here:


"To use DNSSEC on your server, you must use PowerDNS as the nameserver. For more information about how to install PowerDNS on your server, read our Nameserver Selection documentation."

In order to keep things consistent, we just ensure that all cluster members will use PowerDNS to avoid issues.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
3,236
401
243
cPanel Access Level
Root Administrator
The DNSSEC functions are actually a part of PowerDNS. For example, the DNSSEC key database is part of the pdnsutil function, which gets handled with this command:

Code:
pdnsutil create-bind-db /var/cpanel/pdns/dnssec.db
Since the functions themselves need PowerDNS, it has to exist on all the cluster members.