[Pdns-users] DNSSEC and Master/Slave setup

bert hubert bert.hubert at netherlabs.nl
Thu Feb 3 09:28:23 UTC 2011

On Thu, Feb 03, 2011 at 08:44:08AM +0100, Christof Meerwald wrote:
> I kind of expected this to happen today - the master (ns.cmeerw.net)
> with the keying material has now updated the RRSIG records, but the
> slave (ns2.cmeerw.net, no keying material) still returns the old RRSIG
> records:

Indeed, this is an issue we've been pondering for a while now. OpenDNSSEC,
and dnssec-signzone all deal with it in some way.

> ; <<>> DiG 9.7.1-P2 <<>> +dnssec -t soa cmeerw.priv.at @ns2.cmeerw.net
> cmeerw.priv.at.		28800	IN	RRSIG	SOA 8 3 28800 20110210000000 20110127000000 9895 cmeerw.priv.at. b6IVcHFLnJvuL1T+OVXDDiuPOPbooVgpNHw8SI21cXoo2Q2v89+UQd7+ H/SVjFYPL5RLjyCIcGWIJOrx5Wssg8vqbVqvkaG/AGmyZqhu5S5dVo1b ipK32UrcYrsknkYmzYaHD3ew2ka9hwZYND5MK+g3FNAJxnj3fJEiHEvG Lzo=
> cmeerw.priv.at.		28800	IN	SOA	ns.cmeerw.net. domain.cmeerw.net. 2010080601 3600 900 1814400 3600
> Is there any better solution than having to run a script each week on
> the master server to update the SOA serial number and reload the zone
> (so the slave gets notified of the change and does an AXFR)?

This will obviously have to be automated, but we're not sure how. The more
general case is where PowerDNS operates like OpenDNSSEC, as a 'signing
proxy'. In this case there is an 'original serial' from the unsigned master,
which tells us when the original changed.

Secondly, there is the 'signed serial' which will have to change once a week
at least, but also whenever the 'original serial' changes.

In your case, where PowerDNS merely does the signing, things are a bit
simpler, but stil not trivial. 

We obviously need to come up with something smart! Thinking out loud a bit.

A problem is that the SOA serial is 32 bits, and often filled out like this:

2011020300 .. 2011020301 .. 2011020302 etc

This means that if we do the 'obvious' and leave the first six digits alone,
we can only do 99 increments, which is not enough by a long shot.

However, '20110203' only encodes a day number, and there have been 15008
days since the beginning of the epoch. What we could do is convert a
'date-formed SERIAL' to a more compact form, and leave loads of room for
autincrementing the serial.

So 2011020312 ('the 12th increment on the 3rd of February 2011') could be
converted to:

This still only gives us 256 increments before things turn nasty.


I prefer a solution where we don't actually increment the serial in the
database but overlay it with something that autoincrements ('weeks since
january first 2011').


More information about the Pdns-users mailing list