<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.hoenzb
{mso-style-name:hoenzb;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Hello Eric,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>You can run the tool "pdnssec" with option "show-zone" and the domain, eg: pdnssec show-zone highoctanebrands.com<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>This shows the information the registry needs (DS and DNSKEY is shown). You should only upload the key signing key and not the zone signing key. Weekly zone signing key rollover is fully automated with PowerDNS (and keys are 2 or 3 weeks valid (if I'm correct).<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>You can assign multiple keys to 1 zone for key rollover and if you take enough time it should work without problems (I didn't test it). For secure transfers it is also possible to add another DNSKEY in your zone.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Kind regards,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Mark Scholten<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> pdns-users-bounces@mailman.powerdns.com [mailto:pdns-users-bounces@mailman.powerdns.com] <b>On Behalf Of </b>Eric Haskins<br><b>Sent:</b> 13 December, 2013 18:30<br><b>To:</b> pdns-users@mailman.powerdns.com<br><b>Subject:</b> Re: [Pdns-users] MyDNS-Bind Migration and DNSSEC<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>Peter,<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal> Thank You we did manage to get it to work via auth = 1. I have one other question in regards to the DS and DNSKEY records from a registry perspective ICANN requires registrars to provide a mechanism allowing a domain owner to secure a zone. The registrar has to submit the DS and DNSKEY values to the registrar via API is there a way to get these records since it appears PowerDNS is building on the fly when requested?? This and Rollover are our last hurdles <o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Thx again Peter <o:p></o:p></p></div></div><div><p class=MsoNormal><br clear=all><o:p></o:p></p><div><div><div><p class=MsoNormal>Eric Haskins<o:p></o:p></p></div><div><p class=MsoNormal><b>High Octane Brands LLC</b><br>PHP/MySQL Developers ~ E-Commerce Specialists<o:p></o:p></p></div><div><p class=MsoNormal>Magento, OpenCart, WorpPress Optimized Hosting<o:p></o:p></p></div><div><p class=MsoNormal><a href="http://HighOctaneBrands.com" target="_blank">HighOctaneBrands.com</a><br>978-905-9603 Cell<o:p></o:p></p></div></div></div><p class=MsoNormal style='margin-bottom:12.0pt'><o:p> </o:p></p><div><p class=MsoNormal>On Fri, Dec 13, 2013 at 12:11 PM, Peter van Dijk <<a href="mailto:peter.van.dijk@netherlabs.nl" target="_blank">peter.van.dijk@netherlabs.nl</a>> wrote:<o:p></o:p></p><p class=MsoNormal>Hello Eric,<o:p></o:p></p><div><p class=MsoNormal style='margin-bottom:12.0pt'><br>On Dec 13, 2013, at 17:42 , Eric Haskins wrote:<br><br>> I am in the middle of migration testing for 330K Domains and 1.8 Million records from a MyDNS with a Bind Mysql backend to PowerDNS with PDNSSEC with gmysql backend, We have had no issue migrating zones and records after creating the scripts. Our issue lies in serving the zones.<br>><br>> I am finding unless I run pdnssec rectify-zone <a href="http://xyz.com" target="_blank">xyz.com</a> I will see this in monitor and no answer will be provided<br>><br>> Dec 13 09:58:35 Should not get here (<a href="http://xyz.com" target="_blank">xyz.com</a>|1): please run pdnssec rectify-zone<br>><br>> Upon running rectify-zone all behaves properly. I thought I could run Normal and Secured zones on one server? We are inserting NULL in ordername and auth could this be the cause?<o:p></o:p></p></div><p class=MsoNormal style='margin-bottom:12.0pt'>You have a few options:<br>1) remove gmysql-dnssec from your configuration. This will fully disable DNSSEC, and also disable all features that use the domainmetadata table. It will also make PowerDNS ignore ordername and auth and this error will go away.<br>2) keep gmysql-dnssec, and "fake up" ordername and auth. For non-DNSSEC domains, put 1 in auth. ordername is ignored so NULL is a good value for it.<br><br>If you do want to support DNSSEC for (some) domains, please read <a href="http://doc.powerdns.com/html/dnssec-modes.html#dnssec-direct-database" target="_blank">http://doc.powerdns.com/html/dnssec-modes.html#dnssec-direct-database</a> very carefully and/or use rectify-zone after zone data changes.<br><br>Kind regards,<br><span class=hoenzb><span style='color:#888888'>--</span></span><span style='color:#888888'><br><span class=hoenzb>Peter van Dijk</span><br><span class=hoenzb>Netherlabs Computer Consulting BV - <a href="http://www.netherlabs.nl/" target="_blank">http://www.netherlabs.nl/</a></span><br><br></span><br>_______________________________________________<br>Pdns-users mailing list<br><a href="mailto:Pdns-users@mailman.powerdns.com">Pdns-users@mailman.powerdns.com</a><br><a href="http://mailman.powerdns.com/mailman/listinfo/pdns-users" target="_blank">http://mailman.powerdns.com/mailman/listinfo/pdns-users</a><o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p></div></div></div></body></html>