[Pdns-users] Slave Zones and Presigned Zones

Craig Whitmore lennon at orcon.net.nz
Sat Jun 11 10:11:57 UTC 2011 


>>
>>
>
>Thanks a lot..  I'll patch my copy and see how it works out.
>

Seemed to work.

Jun 11 21:45:29 database1 pdns[4861]: Done launching threads, ready to
distribute questions
Jun 11 21:48:44 database1 pdns[4861]: Received NOTIFY for spam.co.nz from
114.23.33.130 for which we are not authoritative
Jun 11 21:48:44 database1 pdns[4861]: Created new slave zone 'spam.co.nz'
from supermaster 114.23.33.130, queued axfr
Jun 11 21:48:44 database1 pdns[4861]: Initiating transfer of 'spam.co.nz'
from remote '114.23.33.130'
Jun 11 21:48:44 database1 pdns[4861]: gmysql Connection successful
Jun 11 21:48:44 database1 pdns[4861]: last message repeated 2 times
Jun 11 21:48:44 database1 pdns[4861]: AXFR started for 'spam.co.nz',
transaction started
Jun 11 21:48:45 database1 pdns[4861]: AXFR done for 'spam.co.nz', zone
committed



And testing if everything worked out.. Except it sets the options
differently that if I typed "pdnssec set-nsec3 spam.co.nz" I have no idea
what the difference is but it still passes the dig tests I do...

Master.. (entered in via pdnssec set-nsec3 spam.co.nz)

select * from domainmetadata;
+----+-----------+------------+----------+
| id | domain_id | kind       | content  |
+----+-----------+------------+----------+
|  1 |         1 | NSEC3PARAM | 1 1 1 ab |
+----+-----------+------------+----------+



Slave

mysql> select * from domainmetadata; (this is entered by the program via
your patch)
+----+-----------+------------+----------+
| id | domain_id | kind       | content  |
+----+-----------+------------+----------+
| 11 |         9 | PRESIGNED  | 1        |
| 12 |         9 | NSEC3PARAM | 1 0 1 ab |
+----+-----------+------------+----------+
2 rows in set (0.00 sec)



Ok.. Can similar be done with TSIGS . As domains are not transferred
securely without TSIG (as far as I know) I have to enter the TSIG stuff in
after it has transferred which kind of defeats the purpose of unattended
slaves . The initial transfer is unsecure? if you use trusted axfr ip
addresses in powerdns settings) . Maybe a key which gets used with all
master/slaves as at the moment you have to specify the TSIG key per domain.

Also with TSIG it seems you have to use the same TSIG key on the master
and all the slave per domain.. What if I want to have different keys per
slave? (for example.. If I have hidden master and 4 slaves.. I want each
of the slaves to transfer with different keys?). Its not that important at
the moment but having a master TSIG key which gets used between transfers
would be great.


Thanks
Craig

More information about the Pdns-users mailing list