DNS

Managed authoritative DNS backed by PowerDNS with DNSSEC, auto-registration for resources, and full zone management.

DNS

The DNS service provides managed authoritative DNS backed by PowerDNS. The DNS Agent handles zone creation, record management, DNSSEC, and automatic registration of AgentMetal resources.

Features

  • PowerDNS — high-performance authoritative DNS server with a REST API
  • DNSSEC — automatic DNSSEC signing and key rotation for secured zones
  • Auto-registration — all AgentMetal resources automatically get DNS records in your internal zone
  • SOA/NS management — the agent configures SOA and NS records correctly for delegated zones
  • Record types — A, AAAA, CNAME, MX, TXT, SRV, and PTR records supported

Create a DNS Zone

agentmetal dns zone create --domain example.com

The agent creates the zone in PowerDNS, configures SOA and NS records, and optionally enables DNSSEC.

Manage Records

Create a Record

agentmetal dns record create \
  --zone example.com \
  --name api \
  --type A \
  --value 1.2.3.4

Create an MX Record

agentmetal dns record create \
  --zone example.com \
  --name "" \
  --type MX \
  --value "10 mail.example.com"

List Records

agentmetal dns record list --zone example.com

Delete a Record

agentmetal dns record delete \
  --zone example.com \
  --name api \
  --type A

DNSSEC

Enable DNSSEC for a zone:

agentmetal dns zone dnssec enable --domain example.com

The agent generates signing keys, signs the zone, and outputs the DS record that you need to add at your registrar.

Auto-Registration

When you create resources in AgentMetal (instances, databases, load balancers), they automatically get DNS records in the internal zone. For example, creating an instance named web in VPC prod generates:

  • web.prod.internal — A record pointing to the instance's private IP

This allows services to discover each other by name without hardcoding IP addresses.

What the Agent Manages

The DNS Agent performs these operations:

  1. PowerDNS installation — installs and configures PowerDNS with a PostgreSQL backend for zone storage
  2. Zone management — creates and configures zones with correct SOA and NS records
  3. Record CRUD — processes record creation, updates, and deletions via the PowerDNS API
  4. DNSSEC — generates KSK/ZSK key pairs, signs zones, and rotates keys on schedule
  5. Auto-registration — watches resource events on NATS and creates/updates/deletes DNS records automatically
  6. Health monitoring — verifies PowerDNS is responding to queries and zones are serving correctly

API

curl -X POST http://localhost:8080/v1/dns/zones \
  -H "Authorization: Bearer $API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "domain": "example.com",
    "dnssec": true
  }'