[Pdns-users] PowerDNSSEC Progress: ready for a first look

Leen Besselink leen at consolejunkie.net
Fri Jan 7 12:35:59 UTC 2011 

On Fri, Jan 07, 2011 at 11:39:59AM +0100, bert hubert wrote:
> On Fri, Jan 07, 2011 at 11:24:12AM +0100, Leen Besselink wrote:
> 
> > But their is one part I'm missing a way to hook up an EPP-client for
> > sending the DS-record to the parent-zone.
> 
> This could be added to pdnssec perhaps - is there an EPP spec somewhere? 
> 'pdnssec push-zone-ds powerdnssec.org epp.sidn.nl' ?
> 
> It would probably need authentication tokens too etc.
> 

I would expect it to need authentication tokens too. :-)

Supposedly it is RFC 5910 which obsoletes RFC 4310.

It's an XML format sent over HTTP(S).

I've seen a few EPP implementations (not the DNSSEC-part) and they are not
the same. But I don't see a reason why commands related to DNSSEC should
differ.

> > Are their to many TLD's that do not have the needed EPP-extensions at
> > this time ? Or are their to many different
> > authentication scheme's ? Probably worse, I guess for some people they
> > have registrars in between. And some
> > currently have EPP, but probably not many have DNSSEC yet.
> 
> As far as I know, almost nobody has a decent DS submission gateway
> standardized right now. But oddly enough, I know very little about registry
> operations, so I could very well be wrong.
> 

I understand.

Maybe it does not need to be part of PowerDNSSEC (at first ?).

But I did wonder at what point in time (for examlpe 5 days before key rollover) will
the new DS be inserted in the database and how do you recognise it.

But after reading http://wiki.powerdns.com/trac/wiki/PDNSSEC/details again it is
pretty obvious PowerDNSSEC does not do a key rollover unless you ask it to do so.

Somehow I missed that part the first time.

Do you have any recommendations or pointers to recommendations about when
key rollover should be done ?

A small recommendation for the documentation: it does not mention the
cryptograhic/hashing algorithms that are used (or supported) by PowerDNSSEC.

I would expect the key rollover to depend on the algorithms used.

> 	Bert

More information about the Pdns-users mailing list