<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri",sans-serif;
        mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:#0563C1;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:#954F72;
        text-decoration:underline;}
span.EmailStyle17
        {mso-style-type:personal-compose;
        font-family:"Calibri",sans-serif;
        color:windowtext;}
.MsoChpDefault
        {mso-style-type:export-only;
        mso-fareast-language:EN-US;}
@page WordSection1
        {size:612.0pt 792.0pt;
        margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1028" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-GB" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">Hi,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Just a few queries on implementing DNSSec with a MySQL backend, if I could trouble someone for their thoughts an recommendations?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Currently our PowerDNS Auth infra looks like below:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">    +-----------------+                          +-----------------+<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">    | PowerDNS Auth B |                          | PowerDNS Auth C |<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">    +-----------------+                          +-----------------+<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">    |  MYSQL SLAVE    |                          |  MYSQL SLAVE    |<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">    +-------^---------+                          +-------^---------+<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">            |                                            |<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">            |                                            |<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">            |              +--------------+              |<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">            |              |  PowerAdmin  |              |<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">MASTER/SLAVE|              +------+-------+              |MASTER/SLAVE<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">REPLICATION |                     |                      |REPLICATION<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">            |              +------v-------+              |<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">            +--------------+ MYSQL MASTER +--------------+<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">                           +------^-------+<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">                                  |<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">                                  |<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">                           +------+----------+<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">                           | PowerDNS Auth A |<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">                          +-----------------+<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">We currently edit records by way of PowerAdmin, which updates the master database directly and so “PowerDNS Auth A” instance is not actually used or interacted with, normally. Zone/record updates are replicated to the “edge” Auth servers
 (B and C) via MySQL replication. We would like to enable DNSSec on a few of our domains, at least as a proof of concept. A few questions…<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I assume I need to enable gmysql-dnssec on ALL PowerDNS Auth instances (A,B and C)?<o:p></o:p></p>
<p class="MsoNormal">Will PowerDNS commands to enable DNSSec signing of a zone need executed on “PowerDNS Auth A” ONLY (which will add the relevant records to the database and replicate them to B and C)?
<o:p></o:p></p>
<p class="MsoNormal">Given that PowerAdmin talks directly to the database, any record changes here likely to cause a problem with these signed domains?
<o:p></o:p></p>
<p class="MsoNormal">Should I look at a newer GUI that implements the DNSSec commands and interacts with PowerDNS API instead?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks in advance…<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Regards,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Alun.<span style="font-size:13.5pt;font-family:"Times New Roman",serif;color:#484848;mso-fareast-language:EN-GB"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:13.5pt;font-family:"Times New Roman",serif;color:#484848;mso-fareast-language:EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:13.5pt;font-family:"Times New Roman",serif;color:#484848;mso-fareast-language:EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:13.5pt;font-family:"Times New Roman",serif;color:#484848;mso-fareast-language:EN-GB"><br>
<br>
</span><span style="font-size:12.0pt;font-family:"Times New Roman",serif;mso-fareast-language:EN-GB"><o:p></o:p></span></p>
<p class="MsoNormal"><!--[if gte vml 1]><v:shapetype id="_x0000_t75" coordsize="21600,21600" o:spt="75" o:preferrelative="t" path="m@4@5l@4@11@9@11@9@5xe" filled="f" stroked="f">
<v:stroke joinstyle="miter" />
<v:formulas>
<v:f eqn="if lineDrawn pixelLineWidth 0" />
<v:f eqn="sum @0 1 0" />
<v:f eqn="sum 0 0 @1" />
<v:f eqn="prod @2 1 2" />
<v:f eqn="prod @3 21600 pixelWidth" />
<v:f eqn="prod @3 21600 pixelHeight" />
<v:f eqn="sum @0 0 1" />
<v:f eqn="prod @6 1 2" />
<v:f eqn="prod @7 21600 pixelWidth" />
<v:f eqn="sum @8 21600 0" />
<v:f eqn="prod @7 21600 pixelHeight" />
<v:f eqn="sum @10 21600 0" />
</v:formulas>
<v:path o:extrusionok="f" gradientshapeok="t" o:connecttype="rect" />
<o:lock v:ext="edit" aspectratio="t" />
</v:shapetype><v:shape id="Picture_x0020_5" o:spid="_x0000_s1027" type="#_x0000_t75" alt="Tibus Logo" href="http://www.tibus.com/?utm_source=signature&amp;utm_medium=email" title="Tibus Website" style='position:absolute;margin-left:0;margin-top:-.05pt;width:75.75pt;height:103.5pt;z-index:251660288;visibility:visible;mso-wrap-style:square;mso-width-percent:0;mso-height-percent:0;mso-wrap-distance-left:9pt;mso-wrap-distance-top:0;mso-wrap-distance-right:9pt;mso-wrap-distance-bottom:0;mso-position-horizontal:absolute;mso-position-horizontal-relative:text;mso-position-vertical:absolute;mso-position-vertical-relative:text;mso-width-percent:0;mso-height-percent:0;mso-width-relative:page;mso-height-relative:page' o:button="t">
<v:imagedata src="cid:image001.png@01D50BD6.229FE9F0" o:title="Tibus Logo" />
<w:wrap type="square"/>
</v:shape><![endif]--><![if !vml]><a href="http://www.tibus.com/?utm_source=signature&amp;utm_medium=email"><img border="0" width="101" height="138" style="width:1.052in;height:1.4375in" src="cid:image001.png@01D50BD6.229FE9F0" align="left" hspace="12" alt="Tibus Logo" title="Tibus Website" v:shapes="Picture_x0020_5"></a><![endif]><!--[if gte vml 1]><v:shape id="Picture_x0020_4" o:spid="_x0000_s1026" type="#_x0000_t75" alt="Separator" style='position:absolute;margin-left:108pt;margin-top:101.25pt;width:23.2pt;height:103.45pt;z-index:-251657216;visibility:visible;mso-wrap-style:square;mso-width-percent:0;mso-height-percent:0;mso-wrap-distance-left:9pt;mso-wrap-distance-top:0;mso-wrap-distance-right:9pt;mso-wrap-distance-bottom:0;mso-position-horizontal:absolute;mso-position-horizontal-relative:text;mso-position-vertical:absolute;mso-position-vertical-relative:page;mso-width-percent:0;mso-height-percent:0;mso-width-relative:margin;mso-height-relative:margin'>
<v:imagedata src="cid:image002.png@01D50BD6.229FE9F0" o:title="Separator" />
<w:wrap type="square" anchory="page"/>
</v:shape><![endif]--><![if !vml]><img width="31" height="138" style="width:.3229in;height:1.4375in" src="cid:image002.png@01D50BD6.229FE9F0" align="left" hspace="12" alt="Separator" v:shapes="Picture_x0020_4"><![endif]><b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:#484848;mso-fareast-language:EN-GB">Alun
 James<o:p></o:p></span></b></p>
<p class="MsoNormal" style="margin-bottom:7.5pt"><b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:#484848;mso-fareast-language:EN-GB">Senior Systems Engineer<o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#484848;mso-fareast-language:EN-GB">T: +44 (0) 28 9033 1122<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#484848;mso-fareast-language:EN-GB">E: <a href="mailto:ajames@tibus.com" title="Email"><span style="color:#484848">ajames@tibus.com</span></a><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:7.5pt"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#484848;mso-fareast-language:EN-GB">W: <a href="http://www.tibus.com/?utm_source=signature&amp;utm_medium=email" title="Website"><span style="color:#484848">www.tibus.com</span></a><o:p></o:p></span></p>
<p class="MsoNormal"><a href="https://www.facebook.com/tibusDigital" title="Tibus Facebook"><span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:#484848;mso-fareast-language:EN-GB;text-decoration:none"><img border="0" width="16" height="16" style="width:.1666in;height:.1666in" id="Picture_x0020_1" src="cid:image003.png@01D50BD6.229FE9F0" alt="http://frontend.open.ms-dev.web.tibus.net/zesty/tibus-sig-new/assets/icon-fb.png"></span></a><span style="font-size:12.0pt;font-family:"Times New Roman",serif;mso-fareast-language:EN-GB"> 
</span><a href="https://twitter.com/tibus" title="Tibus Twitter"><span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:#484848;mso-fareast-language:EN-GB;text-decoration:none"><img border="0" width="16" height="16" style="width:.1666in;height:.1666in" id="Picture_x0020_2" src="cid:image004.png@01D50BD6.229FE9F0" alt="http://frontend.open.ms-dev.web.tibus.net/zesty/tibus-sig-new/assets/icon-tw.png"></span></a><span style="font-size:12.0pt;font-family:"Times New Roman",serif;mso-fareast-language:EN-GB"> 
</span><a href="https://www.linkedin.com/company/tibus" title="Tibus LinkedIn"><span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:#484848;mso-fareast-language:EN-GB;text-decoration:none"><img border="0" width="16" height="16" style="width:.1666in;height:.1666in" id="Picture_x0020_3" src="cid:image005.png@01D50BD6.229FE9F0" alt="http://frontend.open.ms-dev.web.tibus.net/zesty/tibus-sig-new/assets/icon-li.png"></span></a><span style="font-size:12.0pt;font-family:"Times New Roman",serif;mso-fareast-language:EN-GB"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-top:9.75pt"><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:#484848;mso-fareast-language:EN-GB">Tibus is a wholly-owned division of Wireless.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>

<br><br></body>
</html>