PDNS Manager

First steps

A quick tour from a fresh panel to your first DNSSEC-enabled zone serving a mailserver and a few web hosts. Estimated time: 10 minutes.

1 · Verify admin access

After the first login you land on the Dashboard. Click your name (top right) → Profile and change the password if you're still using the auto-generated one.

2 · Add your first PowerDNS server

Settings → DNS servers → Add server. Fields:

  • Name – display name, e.g. master-fra1.
  • URL – the PowerDNS HTTP API, e.g. http://pdns:8081.
  • API key – from pdns.conf (key api-key=).
  • Writable? Leave on.

Press Test connection. Green OK → save. If not: check firewall, webserver-allow-from in pdns.conf and that the URL is reachable from inside the PDNS Manager container (often http://<container-name>:8081).

3 · Create your first zone

Under Zones → New. Example for example.com:

{
  "name": "example.com",
  "kind": "Native",
  "nameservers": ["ns1.example.com.", "ns2.example.com."],
  "soa_edit_api": "DEFAULT",
  "enable_dnssec": false
}
  • Kind: Native is the most common (PowerDNS serves directly from the DB). Master if you have AXFR slaves, Slave if this instance pulls from somewhere else.
  • Nameservers: NS records that go into the zone. Don't forget the trailing dot.
  • SOA edit API: DEFAULT auto-bumps the serial when something changes.

4 · Add records

Click the zone in the list → Zone detail. There's a form per record type. Example: two A records and one MX:

@                A   300   203.0.113.10
www              A   300   203.0.113.10
mail             A   300   203.0.113.20
@                MX  3600  10 mail.example.com.
@                TXT 3600  "v=spf1 mx -all"

In the panel that's name → type → TTL → content. @ in PowerDNS means the zone itself, i.e. example.com.; the UI handles that.

5 · Test the zone

dig +short @pdns.intern example.com A
dig +short @pdns.intern www.example.com A
dig +short @pdns.intern example.com MX

6 · Enable DNSSEC

In Zone detail there's a DNSSEC panel on the right. Hit Enable – PowerDNS creates ZSK and KSK. After a few seconds you see the generated DS records:

example.com. DS  12345 13 2 ABCDEF0123456789...

You have to enter these DS records at your domain registrar (often listed under "DNSSEC" / "DS records") – otherwise the global DNS hierarchy won't accept the signature.

7 · Optional: welcome mail / SMTP test

If you'll enable self-registration later, you probably want new users to get a nice welcome mail. Under Settings → SMTP enter your server data, then Send test mail. Once that arrives, open Settings → Welcome mail, edit subject and body (live preview is built in), test-send – done.

8 · Wrap up

  • Once all desired accounts exist, set ENABLE_REGISTRATION=false in .env and run docker compose up -d.
  • Schedule backups: docker exec dns-manager-db mysqldump -u root -p dns_manager > backup_$(date +%F).sql.
  • Reverse proxy with TLS in front – see Security & hardening.
No image has been added yet. Drop it into src/assets/screenshots/<filename> and register it in the gallery list.