[Pdns-users] Disabling DNSSEC on a Domain
bert hubert
bert.hubert at netherlabs.nl
Tue Jun 14 09:33:14 UTC 2011
On Tue, Jun 14, 2011 at 08:56:41PM +1200, Craig Whitmore wrote:
> A have been trying to automate this all and have a number of questionsÃÂ
>
> 1. http://doc.powerdns.com/dnssec-operational-doctrine.html say to use
> "pdnssec disable-dnssec" but there is no command so what the "proper" way of
> making a domain insecure (the opposite of secure-zone basically.
> remove-zone-key on all the keys will work? And then update SOA serial and
> remove anything in the domainmetadata table?
Almost. disable-dnssec would deactivate all keys, and unset 'presigned'.
Implemented this in 2216 which is now building.
> 2) pdnssec [options] [show-zone] [secure-zone] [rectify-zone] [add-zone-key]
> secure-zone Add KSK and two ZSKs
> secure-zone ZONE Add KSK and two ZSKs
Fixed, thanks!
> 3) do I have to run rectify-zone every time I add/change an entry. I add an
> entry into the database and then read the SOA and increase it and update it
> to be bigger.
This is described here:
http://doc.powerdns.com/dnssec-modes.html#dnssec-direct-database
In your case, you should be setting the 'auth' field too, which would
probably fix the problem.
Bert
More information about the Pdns-users
mailing list