<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p><tt>goodday,</tt></p>
<p><tt>we change the zone's regularly, but the zone's are generated with puppet.<br>
</tt></p>
<p><tt>If we use a predefined key on all servers wouldn't we get into trouble with key rollovers? for example rollover differences between name servers that are reinstalled? Or is the only important factor the DS key (wich would be the same on all servers)?</tt></p>
<p><tt><br>
</tt></p>
<p><tt>greetings,</tt></p>
<p><tt>Philip Vanmontfort<br>
</tt></p>
<p><tt><br>
</tt></p>
<p><tt><br>
</tt></p>
<p><tt><br>
</tt></p>
<p><tt></tt><br>
</p>
<div class="moz-cite-prefix">Op 10/07/19 om 14:04 schreef frank+pdns--- via Pdns-users:<br>
</div>
<blockquote type="cite" cite="mid:55E23D9E-C502-4E74-A939-DFACF87F3B98@louwers.be">
Philip,
<div class=""><br class="">
</div>
<div class="">Do you make make changes to your zones? If you don’t need to change the zone contents and your puppet is meant as a way to easily reinstall/add servers, it might make more sense to adapt your puppet manifests to:</div>
<div class=""><br class="">
</div>
<div class="">- load the zonefile</div>
<div class="">- use pdnsutil (or the API) to add dnssec signing parameters (maybe with predefined cryptokeys if you deploy this to multiple servers and don’t use zone transfers)</div>
<div class=""><br class="">
</div>
<div class="">That way, you don’t need to add binary blobs to your puppet repo, which defeats the purpose of “Infrastructure as Code” in my humble opinion.</div>
<div class=""><br class="">
</div>
<div class="">Just my 2 cents…</div>
<div class=""><br class="">
</div>
<div class="">Frank Louwers</div>
<div class="">Certified PowerDNS Consultant @ <a href="http://Kiwazo.be" class="" moz-do-not-send="true">
Kiwazo.be</a><br class="">
<div><br class="">
<blockquote type="cite" class="">
<div class="">On 10 Jul 2019, at 11:53, Philip Vanmontfort <<a href="mailto:philip@smartbit.be" class="" moz-do-not-send="true">philip@smartbit.be</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div style="font-style: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; text-align:
start; text-indent: 0px; text-transform: none;
white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px; text-decoration: none;
font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt;" class="">
<span style="font-family:
Consolas, Courier, monospace;" class="">Hello,</span></div>
<div style="font-style: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; text-align:
start; text-indent: 0px; text-transform: none;
white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px; text-decoration: none;
font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt;" class="">
<br class="">
</div>
<div style="font-style: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; text-align:
start; text-indent: 0px; text-transform: none;
white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px; text-decoration: none;
font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt;" class="">
<span style="font-family:
Consolas, Courier, monospace;" class="">We want to put everything in one place (puppet), so that we don't have to make a backup of the database. And we want a minimum of moving parts, that is why there is no database
backend.</span><br class="">
</div>
<div style="font-style: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; text-align:
start; text-indent: 0px; text-transform: none;
white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px; text-decoration: none;
font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt;" class="">
<span style="font-family:
Consolas, Courier, monospace;" class="">The setup uses native zones, so we don't do zone transfers with masters and slaves. So i figured, with everything in puppet saves me on replication/backup of the database.</span></div>
<div style="font-style: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; text-align:
start; text-indent: 0px; text-transform: none;
white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px; text-decoration: none;
font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt;" class="">
<br class="">
</div>
<div style="font-style: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; text-align:
start; text-indent: 0px; text-transform: none;
white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px; text-decoration: none;
font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt;" class="">
<span style="font-family:
Consolas, Courier, monospace;" class="">Do i understand correctly that I need to replicate the<span class="Apple-converted-space"> </span></span><font class="" size="2"><span style="font-size: 11pt;
font-family: Consolas, Courier, monospace;" class="">bind-dnssec-db.sqlite3
from one server (soa server?) to the others? or do i need to build a master-slave setup with zone transfers to enable a correct working of dnsssec?</span></font></div>
<div style="font-style: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; text-align:
start; text-indent: 0px; text-transform: none;
white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px; text-decoration: none;
font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt;" class="">
<font class="" size="2"><span style="font-size: 11pt; font-family: Consolas,
Courier, monospace;" class=""><br class="">
</span></font></div>
<div style="font-style: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; text-align:
start; text-indent: 0px; text-transform: none;
white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px; text-decoration: none;
font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt;" class="">
<font class="" size="2"><span style="font-size: 11pt; font-family: Consolas,
Courier, monospace;" class=""><br class="">
</span></font></div>
<div style="font-style: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; text-align:
start; text-indent: 0px; text-transform: none;
white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px; text-decoration: none;
font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt;" class="">
<font class="" size="2"><span style="font-size: 11pt; font-family: Consolas,
Courier, monospace;" class="">best greetings,</span></font></div>
<div style="font-style: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; text-align:
start; text-indent: 0px; text-transform: none;
white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px; text-decoration: none;
font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt;" class="">
<font class="" size="2"><span style="font-size: 11pt; font-family: Consolas,
Courier, monospace;" class="">Philip</span></font><br class="">
</div>
<hr tabindex="-1" style="caret-color: rgb(0, 0, 0);
font-family: AvenirNext-Regular; font-size: 13px;
font-style: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; text-align:
start; text-indent: 0px; text-transform: none;
white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px; text-decoration: none;
display: inline-block; width: 745.765625px;" class="">
<span style="caret-color: rgb(0, 0, 0); font-family:
AvenirNext-Regular; font-size: 13px; font-style: normal;
font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; text-align: start; text-indent:
0px; text-transform: none; white-space: normal;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
text-decoration: none; float: none; display: inline
!important;" class=""></span>
<div id="divRplyFwdMsg" dir="ltr" style="caret-color:
rgb(0, 0, 0); font-family: AvenirNext-Regular;
font-size: 13px; font-style: normal; font-variant-caps:
normal; font-weight: normal; letter-spacing: normal;
text-align: start; text-indent: 0px; text-transform:
none; white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px; text-decoration: none;" class="">
<font style="font-size: 11pt;" class="" face="Calibri, sans-serif"><b class="">Van:</b><span class="Apple-converted-space"> </span>Pdns-users <<a href="mailto:pdns-users-bounces@mailman.powerdns.com" class="" moz-do-not-send="true">pdns-users-bounces@mailman.powerdns.com</a>>
namens Bjoern Franke <<a href="mailto:bjo@nord-west.org" class="" moz-do-not-send="true">bjo@nord-west.org</a>><br class="">
<b class="">Verzonden:</b><span class="Apple-converted-space"> </span>woensdag 10 juli 2019 11:12<br class="">
<b class="">Aan:</b><span class="Apple-converted-space"> </span><a href="mailto:pdns-users@mailman.powerdns.com" class="" moz-do-not-send="true">pdns-users@mailman.powerdns.com</a><br class="">
<b class="">Onderwerp:</b><span class="Apple-converted-space"> </span>Re: [Pdns-users] bind backend and dnssec database</font>
<div class=""> </div>
</div>
<div class="BodyFragment" style="caret-color: rgb(0, 0,
0); font-family: AvenirNext-Regular; font-size: 13px;
font-style: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; text-align:
start; text-indent: 0px; text-transform: none;
white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px; text-decoration: none;">
<font class="" size="2"><span style="font-size: 11pt;" class="">
<div class="PlainText">Hi,<br class="">
<br class="">
><span class="Apple-converted-space"> </span><br class="">
> my company is planning the migration of our authoritative name servers <br class="">
> to powerdns 4.1.x with a bind backend (managed with puppet). this part<br class="">
> is working as intended.<br class="">
[...]<br class="">
> The question is:<br class="">
><span class="Apple-converted-space"> </span><br class="">
> can I put the |bind-dnssec-db.sqlite3| inside puppet after I secured the<br class="">
> zone. (can it be readonly from powerdns's viewpoint)<br class="">
> or does powerdns need read-write acces to the |bind-dnssec-db.sqlite3|?<br class="">
> (maybe for key roll over?)<br class="">
><br class="">
<br class="">
we are running also powerdns in a puppetized way, but with MySQL as<br class="">
hybrid-backend. As data is changed during key rollover, a read/write<br class="">
access is needed. Why do you want to put the sqlite itself into puppet?<br class="">
For the slaves?<br class="">
<br class="">
Kind regards<br class="">
Bjoern<br class="">
_______________________________________________<br class="">
Pdns-users mailing list<br class="">
<a href="mailto:Pdns-users@mailman.powerdns.com" class="" moz-do-not-send="true">Pdns-users@mailman.powerdns.com</a><br class="">
<a href="https://mailman.powerdns.com/mailman/listinfo/pdns-users" class="" moz-do-not-send="true">https://mailman.powerdns.com/mailman/listinfo/pdns-users</a><br class="">
</div>
</span></font></div>
<span style="caret-color: rgb(0, 0, 0); font-family:
AvenirNext-Regular; font-size: 13px; font-style: normal;
font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; text-align: start; text-indent:
0px; text-transform: none; white-space: normal;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
text-decoration: none; float: none; display: inline
!important;" class="">_______________________________________________</span><br style="caret-color: rgb(0, 0, 0); font-family:
AvenirNext-Regular; font-size: 13px; font-style: normal;
font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; text-align: start; text-indent:
0px; text-transform: none; white-space: normal;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
text-decoration: none;" class="">
<span style="caret-color: rgb(0, 0, 0); font-family:
AvenirNext-Regular; font-size: 13px; font-style: normal;
font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; text-align: start; text-indent:
0px; text-transform: none; white-space: normal;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
text-decoration: none; float: none; display: inline
!important;" class="">Pdns-users
mailing list</span><br style="caret-color: rgb(0, 0, 0); font-family:
AvenirNext-Regular; font-size: 13px; font-style: normal;
font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; text-align: start; text-indent:
0px; text-transform: none; white-space: normal;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
text-decoration: none;" class="">
<a href="mailto:Pdns-users@mailman.powerdns.com" style="font-family: AvenirNext-Regular; font-size: 13px;
font-style: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; orphans:
auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-size-adjust: auto;
-webkit-text-stroke-width: 0px;" class="" moz-do-not-send="true">Pdns-users@mailman.powerdns.com</a><br style="caret-color: rgb(0, 0, 0); font-family:
AvenirNext-Regular; font-size: 13px; font-style: normal;
font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; text-align: start; text-indent:
0px; text-transform: none; white-space: normal;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
text-decoration: none;" class="">
<a href="https://mailman.powerdns.com/mailman/listinfo/pdns-users" style="font-family: AvenirNext-Regular; font-size: 13px;
font-style: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; orphans:
auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-size-adjust: auto;
-webkit-text-stroke-width: 0px;" class="" moz-do-not-send="true">https://mailman.powerdns.com/mailman/listinfo/pdns-users</a></div>
</blockquote>
</div>
<br class="">
</div>
<div class="">
<div dir="auto" style="word-wrap: break-word; -webkit-nbsp-mode:
space; line-break: after-white-space;" class="">
<div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);
font-family: "Avenir Next"; font-size: 13px;
font-style: normal; font-variant-caps: normal; font-weight:
normal; letter-spacing: normal; text-align: start;
text-indent: 0px; text-transform: none; white-space: normal;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
text-decoration: none;">
Frank Louwers<br class="">
PowerDNS Certified Consultant @ <a href="http://Kiwazo.be" class="" moz-do-not-send="true">
Kiwazo.be</a><br class="">
<br class="">
</div>
<div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);
font-family: "Avenir Next"; font-size: 13px;
font-style: normal; font-variant-caps: normal; font-weight:
normal; letter-spacing: normal; text-align: start;
text-indent: 0px; text-transform: none; white-space: normal;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
text-decoration: none;" class="">
<br class="">
</div>
<br class="Apple-interchange-newline">
</div>
<br class="Apple-interchange-newline">
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Pdns-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Pdns-users@mailman.powerdns.com">Pdns-users@mailman.powerdns.com</a>
<a class="moz-txt-link-freetext" href="https://mailman.powerdns.com/mailman/listinfo/pdns-users">https://mailman.powerdns.com/mailman/listinfo/pdns-users</a>
</pre>
</blockquote>
</body>
</html>