Why is PowerDNS required on every server in the DNS cluster to enable DNSSEC?

[DennisMidjord]

In WHM > Service Configuration > Nameserver Selection, the following is displayed as a note to the 'Disabled' option: "This option will disable the nameserver. If you are serving dns as part of a cluster you may not need to run one locally."
We've configured 3 DNS servers in our cluster. I thought we could disable the DNS server on each of the shared servers - but that disables the option to use the DNSSEC interface from cPanel. What's the reason for this?

 

[cPRex]

Hey there! This is happening because DNSSEC requires PowerDNS, according to our docs here:

DNSSEC | cPanel & WHM Documentation

DNSSEC adds a layer of security to your domains' DNS records.

docs.cpanel.net

"To use DNSSEC on your server, you must use PowerDNS as the nameserver. For more information about how to install PowerDNS on your server, read our Nameserver Selection documentation."

In order to keep things consistent, we just ensure that all cluster members will use PowerDNS to avoid issues.

 

[DennisMidjord]

In order to keep things consistent, we just ensure that all cluster members will use PowerDNS to avoid issues.

But why is it necessary on the shared servers? I don't see why those servers need to be using PowerDNS as everything DNS related is handled by our actual name servers.

 

[cPRex]

The DNSSEC functions are actually a part of PowerDNS. For example, the DNSSEC key database is part of the pdnsutil function, which gets handled with this command:

pdnsutil create-bind-db /var/cpanel/pdns/dnssec.db

Since the functions themselves need PowerDNS, it has to exist on all the cluster members.