3. Generic MySQL and PgSQL backends

3.1. MySQL specifics
3.2. PostgreSQL specifics
3.3. Oracle specifics
3.4. Basic functionality
3.5. DNSSEC queries
3.6. Master/slave queries
3.7. Fancy records
3.8. Settings and specifying queries
3.9. Native operation
3.10. Slave operation
3.11. Superslave operation
3.12. Master operation

Table A.3. Generic PgSQL and MySQL backend capabilities

NativeYes
MasterYes
SlaveYes
SuperslaveYes
AutoserialYes (v3.1 and up)
CaseAll lower
DNSSECYes (set gmysql-dnssec or gpgsql-dnssec)
Module name < 2.9.3pgmysql
Module name > 2.9.2gmysql and gpgsql
Launch namegmysql and gpgsql2 and gpgsql


PostgreSQL and MySQL backend with easily configurable SQL statements, allowing you to graft PDNS on any PostgreSQL or MySQL database of your choosing. Because all database schemas will be different, a generic backend is needed to cover all needs.

[Warning]Warning

Host names and the MNAME of a SOA records are NEVER terminated with a '.' in PowerDNS storage! If a trailing '.' is present it will inevitably cause problems, problems that may be hard to debug.

The template queries are expanded using the C function 'snprintf' which implies that substitutions are performed on the basis of %-place holders. To place a % in a query which will not be substituted, use %%. Make sure to fill out the search key, often called 'name' in lower case!

There are in fact two backends, one for PostgreSQL and one for MySQL but they accept the same settings and use almost exactly the same database schema.

3.1. MySQL specifics

[Warning]Warning

If using MySQL with 'slave' support enabled in PowerDNS you must run MySQL with a table engine that supports transactions.

In practice, great results are achieved with the 'InnoDB' tables. PowerDNS will silently function with non-transaction aware MySQLs but at one point this is going to harm your database, for example when an incoming zone transfer fails.

The default setup conforms to the following schema:

create table domains (
 id		 INT auto_increment,
 name		 VARCHAR(255) NOT NULL,
 master		 VARCHAR(128) DEFAULT NULL,
 last_check	 INT DEFAULT NULL,
 type		 VARCHAR(6) NOT NULL,
 notified_serial INT DEFAULT NULL, 
 account         VARCHAR(40) DEFAULT NULL,
 primary key (id)
) Engine=InnoDB;

CREATE UNIQUE INDEX name_index ON domains(name);

CREATE TABLE records (
  id              INT auto_increment,
  domain_id       INT DEFAULT NULL,
  name            VARCHAR(255) DEFAULT NULL,
  type            VARCHAR(10) DEFAULT NULL,
  content         VARCHAR(64000) DEFAULT NULL,
  ttl             INT DEFAULT NULL,
  prio            INT DEFAULT NULL,
  change_date     INT DEFAULT NULL,
  primary key(id)
) Engine=InnoDB;

CREATE INDEX rec_name_index ON records(name);
CREATE INDEX nametype_index ON records(name,type);
CREATE INDEX domain_id ON records(domain_id);

create table supermasters (
  ip VARCHAR(25) NOT NULL, 
  nameserver VARCHAR(255) NOT NULL, 
  account VARCHAR(40) DEFAULT NULL
) Engine=InnoDB;

Zone2sql with the --gmysql flag also assumes this layout is in place.

To support or migrate to DNSSEC, the following SQL statements must be executed:

create table domainmetadata (
 id		 INT auto_increment,
 domain_id       INT NOT NULL,
 kind		 VARCHAR(16),
 content	TEXT,
 primary key(id)
);

create index domainmetaidindex on domainmetadata(domain_id);               


create table cryptokeys (
 id		INT auto_increment,
 domain_id      INT NOT NULL,
 flags		INT NOT NULL,
 active		BOOL,
 content	TEXT,
 primary key(id)
);		 

create index domainidindex on cryptokeys(domain_id);           

alter table records add ordername      VARCHAR(255);
alter table records add auth bool;
create index orderindex on records(ordername);

create table tsigkeys (
 id		INT auto_increment,
 name		VARCHAR(255), 
 algorithm	VARCHAR(50),
 secret		VARCHAR(255),
 primary key(id)
);

create unique index namealgoindex on tsigkeys(name, algorithm);
alter table records change column type type VARCHAR(10);

For full migration notes, please see Section 3, “Migration”.

This schema contains all elements needed for master, slave and superslave operation. Depending on which features will be used, the 'GRANT' statements can be trimmed to make sure PDNS cannot subvert the contents of your database.

When using the InnoDB storage engine, we suggest adding the following lines to the 'create table records' command above:

CONSTRAINT `records_ibfk_1` FOREIGN KEY (`domain_id`) REFERENCES `domains`
(`id`) ON DELETE CASCADE

This automates deletion of records on deletion of a domain from the domains table.

3.2. PostgreSQL specifics

The default setup conforms to the following schema, which you should add to a PostgreSQL database.

create table domains (
 id		 SERIAL PRIMARY KEY,
 name		 VARCHAR(255) NOT NULL,
 master		 VARCHAR(128) DEFAULT NULL,
 last_check	 INT DEFAULT NULL,
 type		 VARCHAR(6) NOT NULL,
 notified_serial INT DEFAULT NULL, 
 account         VARCHAR(40) DEFAULT NULL
);
CREATE UNIQUE INDEX name_index ON domains(name);
  
CREATE TABLE records (
        id              SERIAL PRIMARY KEY,
        domain_id       INT DEFAULT NULL,
        name            VARCHAR(255) DEFAULT NULL,
        type            VARCHAR(10) DEFAULT NULL,
        content         VARCHAR(65535) DEFAULT NULL,
        ttl             INT DEFAULT NULL,
        prio            INT DEFAULT NULL,
        change_date     INT DEFAULT NULL, 
        CONSTRAINT domain_exists 
        FOREIGN KEY(domain_id) REFERENCES domains(id)
        ON DELETE CASCADE,
        CONSTRAINT c_lowercase_name CHECK (((name)::text = lower((name)::text)))
);

CREATE INDEX rec_name_index ON records(name);
CREATE INDEX nametype_index ON records(name,type);
CREATE INDEX domain_id ON records(domain_id);

create table supermasters (
	  ip VARCHAR(25) NOT NULL, 
	  nameserver VARCHAR(255) NOT NULL, 
	  account VARCHAR(40) DEFAULT NULL
);

-- GRANT SELECT ON supermasters TO pdns;
-- GRANT ALL ON domains TO pdns;
-- GRANT ALL ON domains_id_seq TO pdns;
-- GRANT ALL ON records TO pdns;
-- GRANT ALL ON records_id_seq TO pdns;

	

Zone2sql with the --gpgsql flag also assumes this layout is in place.

This schema contains all elements needed for master, slave and superslave operation. Depending on which features will be used, the 'GRANT' statements can be trimmed to make sure PDNS cannot subvert the contents of your database.

To support DNSSEC or to migrate to DNSSEC, the following statements have to be issued:

alter table records add ordername	VARCHAR(255);
alter table records add auth bool;
create index orderindex on records(ordername);

create table domainmetadata (
 id		SERIAL PRIMARY KEY,
 domain_id	INT REFERENCES domains(id) ON DELETE CASCADE,
 kind		VARCHAR(16),
 content	TEXT
);

create index domainidmetaindex on domainmetadata(domain_id);               


create table cryptokeys (
 id		SERIAL PRIMARY KEY,
 domain_id	INT REFERENCES domains(id) ON DELETE CASCADE,
 flags		INT NOT NULL,
 active		BOOL,
 content	TEXT
);		 
create index domainidindex on cryptokeys(domain_id);


-- GRANT ALL ON domainmetadata TO pdns;
-- GRANT ALL ON domainmetadata_id_seq TO pdns;
-- GRANT ALL ON cryptokeys TO pdns;
-- GRANT ALL ON cryptokeys_id_seq TO pdns;

create table tsigkeys (
 id		SERIAL PRIMARY KEY,
 name		VARCHAR(255),
 algorithm	VARCHAR(50), 
 secret		VARCHAR(255)
);

create unique index namealgoindex on tsigkeys(name, algorithm);

-- GRANT ALL ON tsigkeys TO pdns;
-- GRANT ALL ON tsigkeys_id_seq TO pdns;
alter table records alter column type type VARCHAR(10);

For full migration notes, please see Section 3, “Migration”.

With PostgreSQL, you may have to run 'createdb powerdns' first and then connect to that database with 'psql powerdns', and feed it the schema above.

3.3. Oracle specifics

Generic Oracle support is only available since version 2.9.18. The default setup conforms to the following schema, which you should add to an Oracle database. You may need or want to add 'namespace' statements.


create table domains (
 id		 NUMBER,
 name		 VARCHAR(255) NOT NULL,
 master		 VARCHAR(128) DEFAULT NULL,
 last_check	 INT DEFAULT NULL,
 type		 VARCHAR(6) NOT NULL,
 notified_serial INT DEFAULT NULL, 
 account         VARCHAR(40) DEFAULT NULL,
 primary key (id)
);
create sequence DOMAINS_ID_SEQUENCE; 
create index DOMAINS$NAME on Domains (NAME);

 
CREATE TABLE records (
        id              number(11) not NULL,
        domain_id       INT DEFAULT NULL REFERENCES Domains(ID) ON DELETE CASCADE,
        name            VARCHAR(255) DEFAULT NULL,
        type            VARCHAR(10) DEFAULT NULL,
        content         VARCHAR2(4000) DEFAULT NULL,
        ttl             INT DEFAULT NULL,
        prio            INT DEFAULT NULL,
        change_date     INT DEFAULT NULL, 
	primary key (id)
);

create index RECORDS$NAME on RECORDS (NAME);
create sequence RECORDS_ID_SEQUENCE;

create table supermasters (
	  ip VARCHAR(25) NOT NULL, 
	  nameserver VARCHAR(255) NOT NULL, 
	  account VARCHAR(40) DEFAULT NULL
);

	

This schema contains all elements needed for master, slave and superslave operation. Depending on which features will be used, 'GRANT' statements can be trimmed to make sure PDNS cannot subvert the contents of your database.

Zone2sql with the --gpgsql flag also assumes this layout is in place.

Inserting records is a bit different compared to MySQL and PostgreSQL, you should use:

insert into domains (id,name,type) values (domains_id_sequence.nextval,'netherlabs.nl','NATIVE');
	    

Furthermore, use the goracle-tnsname setting to specify which TNSNAME the Generic Oracle Backend should be connecting to. There are no goracle-dbname, goracle-host or goracle-port settings, their equivalent is in /etc/tnsnames.ora.

3.4. Basic functionality

4 queries are needed for regular lookups, 4 for 'fancy records' which are disabled by default and 1 is needed for zone transfers.

The 4+4 regular queries must return the following 6 fields, in this exact order:

content

This is the 'right hand side' of a DNS record. For an A record, this is the IP address for example.

ttl

TTL of this record, in seconds. Must be a real value, no checking is performed.

prio

For MX records, this should be the priority of the mail exchanger specified.

qtype

The ASCII representation of the qtype of this record. Examples are 'A', 'MX', 'SOA', 'AAAA'. Make sure that this field returns an exact answer - PDNS won't recognise 'A ' as 'A'. This can be achieved by using a VARCHAR instead of a CHAR.

domain_id

Each domain must have a unique domain_id. No two domains may share a domain_id, all records in a domain should have the same. A number.

name

Actual name of a record. Must not end in a '.' and be fully qualified - it is not relative to the name of the domain!

Please note that the names of the fields are not relevant, but the order is!

As said earlier, there are 8 SQL queries for regular lookups. To configure them, set 'gmysql-basic-query' or 'gpgsql-basic-query', depending on your choice of backend. If so called 'MBOXFW' fancy records are not used, four queries remain:

basic-query

Default: select content,ttl,prio,type,domain_id,name from records where type='%s' and name='%s' This is the most used query, needed for doing 1:1 lookups of qtype/name values. First %s is replaced by the ASCII representation of the qtype of the question, the second by the name.

id-query

Default: select content,ttl,prio,type,domain_id,name from records where type='%s' and name='%s' and domain_id=%d Used for doing lookups within a domain. First %s is replaced by the qtype, the %d which should appear after the %s by the numeric domain_id.

any-query

For doing ANY queries. Also used internally. Default: select content,ttl,prio,type,domain_id,name from records where name='%s' The %s is replaced by the qname of the question.

any-id-query

For doing ANY queries within a domain. Also used internally. Default: select content,ttl,prio,type,domain_id,name from records where name='%s' and domain_id=%d The %s is replaced by the name of the domain, the %d by the numerical domain id.

The last query is for listing the entire contents of a zone. This is needed when performing a zone transfer, but sometimes also internally:

list-query

To list an entire zone. Default: select content,ttl,prio,type,domain_id,name from records where domain_id=%d

3.5. DNSSEC queries

If DNSSEC is enabled (through the -dnssec flag on a gsql backend), many queries are replaced by slightly extended variants that also query the auth column. The auth column is always added as the rightmost column. These are the -auth defaults:

basic-query-auth

Basic query. Default: select content,ttl,prio,type,domain_id,name, auth from records where type='%s' and name='%s'

id-query-auth

Basic with ID query. Default: select content,ttl,prio,type,domain_id,name, auth from records where type='%s' and name='%s' and domain_id=%d

wildcard-query-auth

Wildcard query. Default: select content,ttl,prio,type,domain_id,name, auth from records where type='%s' and name like '%s'

wildcard-id-query-auth

Wildcard with ID query. Default: select content,ttl,prio,type,domain_id,name, auth from records where type='%s' and name like '%s' and domain_id='%d'

any-query-auth

Any query. Default: select content,ttl,prio,type,domain_id,name, auth from records where name='%s'

any-id-query-auth

Any with ID query. Default: select content,ttl,prio,type,domain_id,name, auth from records where name='%s' and domain_id=%d

wildcard-any-query-auth

Wildcard ANY query. Default: select content,ttl,prio,type,domain_id,name, auth from records where name like '%s'

wildcard-any-id-query-auth

Wildcard ANY with ID query. Default: select content,ttl,prio,type,domain_id,name, auth from records where name like '%s' and domain_id='%d'

list-query-auth

AXFR query. Default: select content,ttl,prio,type,domain_id,name, auth from records where domain_id='%d' order by name, type

Additionally, there are some new queries to determine NSEC(3) order:

get-order-first-query

DNSSEC Ordering Query, first. Default: select ordername, name from records where domain_id=%d and ordername is not null order by 1 asc limit 1

get-order-before-query

DNSSEC Ordering Query, before. Default: select ordername, name from records where ordername <= '%s' and domain_id=%d and ordername is not null order by 1 desc limit 1

get-order-after-query

DNSSEC Ordering Query, after. Default: select min(ordername) from records where ordername > '%s' and domain_id=%d and ordername is not null

get-order-last-query

DNSSEC Ordering Query, last. Default: select ordername, name from records where ordername != '' and domain_id=%d and ordername is not null order by 1 desc limit 1

Finally, these two queries are used to set ordername and auth correctly in a database:

set-order-and-auth-query

DNSSEC set ordering query. Default: update records set ordername='%s',auth=%d where name='%s' and domain_id='%d'

nullify-ordername-and-auth-query

DNSSEC nullify ordername query. Default: update records set ordername=NULL,auth=0 where name='%s' and type='%s' and domain_id='%d'

Make sure to read Section 8.5, “Rules for filling out fields in database backends” if you wish to calculate ordername and auth without using pdns-rectify.

3.6. Master/slave queries

Most installations will have zero need to change the following settings, but should the need arise, here they are:

master-zone-query

Called to determine the master of a zone. Default: select master from domains where name='%s' and type='SLAVE'

info-zone-query

Called to retrieve (nearly) all information for a domain: Default: select id,name,master,last_check,notified_serial,type from domains where name='%s'

info-all-slaves-query

Called to retrieve all slave domains Default: select id,name,master,last_check,type from domains where type='SLAVE'

supermaster-query

Called to determine if a certain host is a supermaster for a certain domain name. Default: select account from supermasters where ip='%s' and nameserver='%s';

insert-slave-query

Called to add a domain as slave after a supermaster notification. Default: insert into domains (type,name,master,account) values('SLAVE','%s','%s','%s')

insert-record-query

Called during incoming AXFR. Default: insert into records (content,ttl,prio,type,domain_id,name) values ('%s',%d,%d,'%s',%d,'%s')

update-serial-query

Called to update the last notified serial of a master domain. Default: update domains set notified_serial=%d where id=%d

update-lastcheck-query

Called to update the last time a slave domain was checked for freshness. Default: update domains set last_check=%d where id=%d

info-all-master-query

Called to get data on all domains for which the server is master. Default: select id,name,master,last_check,notified_serial,type from domains where type='MASTER'

delete-zone-query

Called to delete all records of a zone. Used before an incoming AXFR. Default: delete from records where domain_id=%d

3.7. Fancy records

[Warning]Warning

Fancy records are unsupported as of version 3.0

If PDNS is used with so called 'Fancy Records', the 'MBOXFW' record exists which specifies an email address forwarding instruction, wildcard queries are sometimes needed. This is not enabled by default. A wildcard query is an internal concept - it has no relation to *.domain-type lookups. You can safely leave these queries blank.

wildcard-query

Can be left blank. See above for an explanation. Default: select content,ttl,prio,type,domain_id,name from records where type='%s' and name like '%s'

wildcard-id-query

Can be left blank. See above for an explanation. Default: select content,ttl,prio,type,domain_id,name from records where type='%s' and name like '%s' and domain_id=%d Used for doing lookups within a domain.

wildcard-any-query

For doing wildcard ANY queries. Default: select content,ttl,prio,type,domain_id,name from records where name like '%s'

wildcard-any-id-query

For doing wildcard ANY queries within a domain. Default: select content,ttl,prio,type,domain_id,name from records where name like '%s' and domain_id=%d

3.8. Settings and specifying queries

The queries above are specified in pdns.conf. For example, the basic-query would appear as:

	    gpgsql-basic-query=select content,ttl,prio,type,domain_id,name from records where type='%s' and name='%s'
	  

When using the Generic PostgreSQL backend, they appear as above. When using the generic MySQL backend, change the "gpgsql-" prefix to "gmysql-".

Queries can span multiple lines, like this:

	    gpgsql-basic-query=select content,ttl,prio,type,domain_id,name from records \
	    where type='%s' and name='%s'
	  

Do not wrap statements in quotes as this will not work. Besides the query related settings, the following configuration options are available, where one should substitute 'gmysql', 'gpgsql', 'godbc' or 'goracle' for the prefix 'backend'. So 'backend-dbname' can stand for 'gpgsql-dbname' or 'gmysql-dbname' etc.

backend-dbname

Database name to connect to

backend-host

Database host to connect to. WARNING: When specified as a hostname a chicken/egg situation might arise where the database is needed to resolve the IP address of the database. It is best to supply an IP address of the database here.

backend-port

Database port to connect to.

gmysql-socket (only for MySQL!)

File name where the MySQL connection socket resides. Often /tmp/mysql.sock or /var/run/mysqld/mysqld.sock.

backend-password

Password to connect with

backend-user

PgSQL user to connect as

3.9. Native operation

For native operation, either drop the FOREIGN KEY on the domain_id field, or (recommended), make sure the domains table is filled properly. To add a domain, issue the following:

	    insert into domains (name,type) values ('powerdns.com','NATIVE');
	  

The records table can now be filled by with the domain_id set to the id of the domains table row just inserted.

3.10. Slave operation

These backends are fully slave capable. To become a slave of the 'powerdns.com' domain, execute this:

	    insert into domains (name,master,type) values ('powerdns.com','213.244.168.217','SLAVE');
	  

And wait a while for PDNS to pick up the addition - which happens within one minute. There is no need to inform PDNS that a new domain was added. Typical output is:

	    Apr 09 13:34:29 All slave domains are fresh
	    Apr 09 13:35:29 1 slave domain needs checking
	    Apr 09 13:35:29 Domain powerdns.com is stale, master serial 1, our serial 0
	    Apr 09 13:35:30 [gPgSQLBackend] Connected to database
	    Apr 09 13:35:30 AXFR started for 'powerdns.com'
	    Apr 09 13:35:30 AXFR done for 'powerdns.com'
	    Apr 09 13:35:30 [gPgSQLBackend] Closing connection
	  

From now on, PDNS is authoritative for the 'powerdns.com' zone and will respond accordingly for queries within that zone.

Periodically, PDNS schedules checks to see if domains are still fresh. The default slave-cycle-interval is 60 seconds, large installations may need to raise this value. Once a domain has been checked, it will not be checked before its SOA refresh timer has expired. Domains whose status is unknown get checked every 60 seconds by default.

3.11. Superslave operation

To configure a supermaster with IP address 10.0.0.11 which lists this installation as 'autoslave.powerdns.com', issue the following:

	    insert into supermasters ('10.0.0.11','autoslave.powerdns.com','internal');
	  

From now on, valid notifies from 10.0.0.11 that list a NS record containing 'autoslave.powerdns.com' will lead to the provisioning of a slave domain under the account 'internal'. See Section 2.1, “Supermaster automatic provisioning of slaves” for details.

3.12. Master operation

The PostgreSQL backend is fully master capable with automatic discovery of serial changes. Raising the serial number of a domain suffices to trigger PDNS to send out notifications. To configure a domain for master operation instead of the default native replication, issue:

	    insert into domains (name,type) values ('powerdns.com','MASTER');
	  

Make sure that the assigned id in the domains table matches the domain_id field in the records table!