[Pdns-users] Disabling DNSSEC on a Domain

bert hubert bert.hubert at netherlabs.nl
Tue Jun 14 09:33:14 UTC 2011


On Tue, Jun 14, 2011 at 08:56:41PM +1200, Craig Whitmore wrote:
> A have been trying to automate this all and have a number of questionsŠ
> 
> 1. http://doc.powerdns.com/dnssec-operational-doctrine.html say to use
> "pdnssec disable-dnssec" but there is no command so what the "proper" way of
> making a domain insecure (the opposite of secure-zone basically.
> remove-zone-key on all the keys will work? And then update SOA serial and
> remove anything in the domainmetadata table?

Almost. disable-dnssec would deactivate all keys, and unset 'presigned'.
Implemented this in 2216 which is now building.

> 2) pdnssec [options] [show-zone] [secure-zone] [rectify-zone] [add-zone-key]
> secure-zone                     Add KSK and two ZSKs
> secure-zone  ZONE       Add KSK and two ZSKs

Fixed, thanks!

> 3) do I have to run rectify-zone every time I add/change an entry. I add an
> entry into the database and then read the SOA and increase it and update it
> to be bigger.

This is described here:
http://doc.powerdns.com/dnssec-modes.html#dnssec-direct-database

In your case, you should be setting the 'auth' field too, which would
probably fix the problem.

	Bert




More information about the Pdns-users mailing list