1 minute read

Recently I wrote about using Gandi LiveDNS. Another feature available is to use your own DNS server to slave Gandi’s DNS for extra resilience. This guide explains how to do it.
Using PowerDNS with Gandi Live DNS to enhance resilience
This guide assumes you have a working PowerDNS installation. If you don’t this guide will get you started.

Run the following command from the terminal, making sure you use your API key where required:

curl -XPOST -H"X-Api-Key: YOUR-API-KEY" https://dns.api.gandi.net/api/v5/axfr/tsig

This command will output a record:

{"key_name": "85e7b6e3-4553-479b-b968-cd0c77143802.gandi.net", "secret": "0ghpfTvSgQ+n3sb56y1Wc4TydiCLBiunLmsy2LtSTqU3MQ5KaMsxbShPoyyzORC8grAE8++CAYPPGRnf+YylIg==", "uuid": "85e7b6e3-4553-479b-b968-cd0c77143802", "axfr_tsig_url": "https://dns.api.gandi.net/api/v5/axfr/tsig/85e7b6e3-4553-479b-b968-cd0c77143802"}

Look for the key name before the gandi.net, in this example:

Use this to tie the key with the secret to the domain you wish to use:

curl -H"X-Api-Key: $YOUR-API-KEY" \ -XPUT https://dns.api.gandi.net/api/v5/domains/YOUR-DOMAIN-HERE/axfr/tsig/YOUR-KEY-HERE

On your PowerDNS server import the key copying the full key_name and the secret from the key you produced earlier. Using the above as an example you would run:

sudo pdnsutil import-tsig-key 85e7b6e3-4553-479b-b968-cd0c77143802.gandi.net. hmac-sha512 '0ghpfTvSgQ+n3sb56y1Wc4TydiCLBiunLmsy2LtSTqU3MQ5KaMsxbShPoyyzORC8grAE8++CAYPPGRnf+YylIg=='

For example:

curl -H"X-Api-Key: $APIKEY" \ -XPUT https://dns.api.gandi.net/api/v5/domains/example.com/axfr/tsig/85e7b6e3-4553-479b-b968-cd0c77143802

You can tie the key to multiple domains in your account.

Now we need to add your PowerDNS server IP address(es) to Gandi, you can use v4 or v6 addresses:

for host in YOUR-IP-Address-HERE ANOTHER-IP-HERE; do curl -H"X-Api-Key: $APIKEY" \ -XPUT https://dns.api.gandi.net/api/v5/domains/YOUR-DOMAIN-HERE/axfr/slaves/$host ; done

Finally we need to run the following commands on your PowerDNS server to complete the setup.

sudo pdnsutil create-slave-zone YOUR-DOMAIN-HERE 2001:4b98:dc2:90::cafe:53 2001:4b98:d:1::cafe:53

and then:

pdnsutil activate-tsig-key YOUR-DOMAIN-HERE 85e7b6e3-4553-479b-b968-cd0c77143802.gandi.net. slave

Finally add the nameserver to your domain using your Gandi control panel:


All done! Gandi will now slave the zone to your name server as a backup.

Leave a comment