What DNS software does Jabali Panel use?

Jabali Panel ships two PowerDNS processes: pdns-server (the authoritative server) answers for hosted zones using a MariaDB backend and listens on the server's public IPs on port 53. pdns-recursor handles local recursive lookups for the panel host itself (certbot, Stalwart Mail, the panel API) and listens only on loopback 127.0.0.1:53.

Does Jabali Panel support DNSSEC?

Yes. DNSSEC is available per-domain on an opt-in basis. Enabling it runs pdnsutil secure-zone and pdnsutil rectify-zone, which auto-generates a KSK and ZSK using ECDSAP256SHA256 (algorithm 13). The panel UI displays the DS record you need to publish at your registrar. Key metadata is persisted in both the PowerDNS MariaDB backend and the panel's own database so the DS record is visible in the UI without shelling to pdnsutil per page load.

What DNS record types can I manage through the panel?

From the panel UI you can add, edit, and delete A, AAAA, CNAME, MX, TXT, SRV, CAA, and NS (subdelegation) records. The SOA record is managed automatically by the panel. Inline editing is available for all non-system records; system-managed records (the default apex A, DKIM TXT, SPF, DMARC) are protected and re-rendered by the reconciler.

How are DNS zones created for hosted domains?

A PowerDNS zone is created automatically when you add a domain in the panel. Default records are provisioned immediately: an A record pointing to the server's primary IP, an AAAA record if IPv6 is configured, a www CNAME to the apex, and, when mail is enabled, MX, mail A, DKIM TXT, SPF TXT, DMARC TXT, and MTA-STS TXT records. Extra zones not tied to a panel domain (for example, a partner zone you serve DNS for) can be added manually from the Admin DNS page.

How does DNS cache invalidation work?

PowerDNS caches answers for cache-ttl (default 60 seconds). After every zone or record mutation, the Jabali agent issues pdns_control purge $ immediately, so updated records are visible sub-second rather than waiting for the cache to expire.

What is the split-port DNS architecture in Jabali Panel?

The split-port setup (documented as ADR-0047) separates authoritative and recursive roles into two processes. pdns-server binds the public IPs so the internet can query your hosted zones. pdns-recursor binds loopback so panel-internal processes can resolve external names without querying an upstream resolver. The two processes do not share a port.

Can I migrate DNS zones from cPanel or DirectAdmin?

Yes. Jabali Panel's Migrations section can ingest zone data from cPanel (.tar.gz / cpmove archives), DirectAdmin, Hestia, and WHM. Zones are imported as part of the account restore; records are inserted directly into the PowerDNS MariaDB backend.

What operating system does Jabali Panel require?

Jabali Panel supports Debian 13 (Trixie) only. The installer detects and rejects earlier Debian releases and Ubuntu. PowerDNS is installed from the Debian native packages.

PowerDNS DNS hosting with DNSSEC, managed by Jabali Panel

Per-domain PowerDNS Authoritative + pdns-recursor split-port, DNSSEC ECDSAP256SHA256 signing per domain, MariaDB backend, and panel-side zone management.

DNS is the part of a hosting stack people forget about until it breaks. Jabali Panel takes the position that authoritative DNS belongs on the same host as the panel itself, managed by the same UI as everything else, with DNSSEC signing available per-domain on a toggle. This post explains the PowerDNS setup, the split-port architecture, the DNSSEC lifecycle, and what the panel actually does on every record mutation.

Two PowerDNS processes

The panel ships two PowerDNS processes side by side:

pdns-server — the authoritative server. Reads zones from a MariaDB backend. Binds the server’s public IPs on port 53 (TCP + UDP). Answers queries from the internet for the domains you host.
pdns-recursor — local recursive resolver. Binds only loopback (127.0.0.1:53). Used by panel-internal processes (certbot for HTTP-01 challenges, Stalwart Mail for outbound MX lookups, the panel API for various sanity checks) so the panel host can resolve external names without pointing /etc/resolv.conf at an upstream public resolver.

Authoritative and recursive should never share a port — mixing the two roles in a single binary is a classic mistake that produces hard-to-debug cache poisoning and recursion-leak scenarios. The split-port architecture is documented as ADR-0047 (in the panel source repo, separate from this site’s ADRs).

DNSSEC, per domain, opt-in

DNSSEC is one toggle on the Domain Edit page. Flipping it on:

Runs pdnsutil secure-zone <domain> — generates a Key-Signing Key (KSK) and Zone-Signing Key (ZSK) using ECDSAP256SHA256 (DNSSEC algorithm 13)
Runs pdnsutil rectify-zone <domain> — adds NSEC/NSEC3 records and signs every RRSet
Copies the DS record into the panel database so the UI can display it without re-shelling to pdnsutil on every page load
Surfaces the DS record in the UI for you to publish at your registrar

ECDSAP256SHA256 is the modern default — small keys, fast signing, well-supported. The older RSASHA256 is available via CLI for registrars that don’t support ECDSA, but it’s the exception.

When you publish the DS record at your registrar, the chain of trust is complete. Validating resolvers (Cloudflare 1.1.1.1, Quad9, Google 8.8.8.8) will now reject forged answers for your domain.

The panel also surfaces the DNSKEY records and current key state in the Domain Edit page — useful when debugging a chain-of-trust mismatch (registrar lag, key rollover, etc.).

What you can edit through the panel

From the UI you can manage these record types:

Type	Editable?	Notes
A, AAAA	yes	inline edit
CNAME	yes	inline edit
MX	yes	inline edit; priority is a field
TXT	yes	inline edit; useful for verification records, DKIM, SPF, DMARC
SRV	yes	inline edit
CAA	yes	inline edit
NS (subdelegation)	yes	for subdomains you delegate to another nameserver
SOA	no	panel-managed
DNSKEY / RRSIG / NSEC	no	DNSSEC-managed by `pdnsutil`

System-managed records (the default apex A, DKIM TXT for the mail-enabled domain, SPF, DMARC, MTA-STS) are protected — you can see them but you can’t delete them through the UI. The reconciler re-creates them if you did somehow delete them out-of-band.

Default records on domain create

Adding a domain in the panel triggers a single PowerDNS zone creation, immediately followed by record provisioning:

A — apex, pointing at the server’s primary public IP
AAAA — apex, if the server has a configured IPv6 address
CNAME — www → apex
MX — if mail is enabled on the domain
A — mail.<domain> → server primary IP (if mail enabled)
TXT — DKIM, SPF, DMARC, MTA-STS (if mail enabled)
CAA — restricting Let’s Encrypt issuance to authorized CAs (if SSL is enabled)

By the time the form submit redirects, the zone is queryable from the internet. No copy-paste of zone files.

Cache invalidation

PowerDNS Authoritative caches answers for cache-ttl (default 60 seconds). On every zone or record mutation, the Jabali agent issues:

pdns_control purge <domain>$

The trailing $ is the suffix-match form: every cached entry under that zone is dropped. Updates are visible sub-second rather than waiting for the cache to expire. This matters during initial setup and during emergency fixes — neither use case tolerates a 60-second wait.

Extra zones (not tied to a hosted domain)

A common case: you want to host DNS for partner.example.com even though you don’t host its website. The Admin DNS page (/jabali-admin/dns) lets you add a zone that isn’t backed by a panel-managed domain. Records work the same way, DNSSEC can be enabled the same way, and the same UI applies.

Migration

Existing zones from cPanel, DirectAdmin, Hestia, and WHM come across as part of an account restore via the Migrations section. Records are inserted directly into the PowerDNS MariaDB backend; the panel updates its zone-summary cache, then issues pdns_control purge so the new zone is live immediately.

Try it

Run the installer on a Debian 13 VPS, add your first domain in the panel, and the DNS zone is live before the page reloads. The installation guide covers the panel-hostname DNS prep step; the demo panel shows the DNS UI.