[Pdns-users] Disabling DNSSEC on a Domain

Craig Whitmore lennon at orcon.net.nz
Tue Jun 14 10:29:46 UTC 2011



On 14/06/11 9:33 PM, "bert hubert" <bert.hubert at netherlabs.nl> wrote:

>On Tue, Jun 14, 2011 at 08:56:41PM +1200, Craig Whitmore wrote:
>> A have been trying to automate this all and have a number of questions?
>> 
>> 1. http://doc.powerdns.com/dnssec-operational-doctrine.html say to use
>> "pdnssec disable-dnssec" but there is no command so what the "proper"
>>way of
>> making a domain insecure (the opposite of secure-zone basically.
>> remove-zone-key on all the keys will work? And then update SOA serial
>>and
>> remove anything in the domainmetadata table?

Tested and works but shouldn't you delete the cryptokeys for the domain in
the database as well or something bad happens.

If I enable . All good..

ID = 18 (KSK), tag = 41954, algo = 8, bits = 2048 Active: 1
KSK DNSKEY = spam.co.nz IN DNSKEY 257 3 8
AwEAAeqMcemGL0stYFsyPSoqTTj2h/xOnLnP3REKmX3zp9mD3AFPabynZAn5NREYfUl97u2kIKq
KrBsW1TEm2yp8067EqgyZtUqiRyGl8lv5h+uInnpjmC4cHMLsvxt+S5b7vTcmwl8J2r3aGVe050
I2sALq8YEjnPWHiw5qLOQRoY72REa77fXyzoOW3hQKfTlJcco8gu363sYn4gYM9AFy/PJVXeUWq
WdTvyVmGbqapLISLnb9w+DCLa8N4RkbTIsImPy90e2qN6RYLUA1CoUaYuCtxUfqJC5OLE+deDJB
DwQ/+bGZSWORyJvbkOeq+xRfrDqJ4Gt98RZM3DwEvD8irDU=
DS = spam.co.nz IN DS 41954 8 1 73ecd73829cbce5a79117f6f1a452ec41a8ad821
DS = spam.co.nz IN DS 41954 8 2
fdd6e221ac2cf1e9e13c5af283851089b905be67eab7f0a0a3f4f10555caaac8

ID = 19 (ZSK), tag = 38065, algo = 8, bits = 1024 Active: 1
ID = 20 (ZSK), tag = 28923, algo = 8, bits = 1024 Active: 0


Then disable and then enable again.

ID = 18 (KSK), tag = 41954, algo = 8, bits = 2048 Active: 0
KSK DNSKEY = spam.co.nz IN DNSKEY 257 3 8
AwEAAeqMcemGL0stYFsyPSoqTTj2h/xOnLnP3REKmX3zp9mD3AFPabynZAn5NREYfUl97u2kIKq
KrBsW1TEm2yp8067EqgyZtUqiRyGl8lv5h+uInnpjmC4cHMLsvxt+S5b7vTcmwl8J2r3aGVe050
I2sALq8YEjnPWHiw5qLOQRoY72REa77fXyzoOW3hQKfTlJcco8gu363sYn4gYM9AFy/PJVXeUWq
WdTvyVmGbqapLISLnb9w+DCLa8N4RkbTIsImPy90e2qN6RYLUA1CoUaYuCtxUfqJC5OLE+deDJB
DwQ/+bGZSWORyJvbkOeq+xRfrDqJ4Gt98RZM3DwEvD8irDU=
DS = spam.co.nz IN DS 41954 8 1 73ecd73829cbce5a79117f6f1a452ec41a8ad821
DS = spam.co.nz IN DS 41954 8 2
fdd6e221ac2cf1e9e13c5af283851089b905be67eab7f0a0a3f4f10555caaac8

ID = 21 (KSK), tag = 60754, algo = 8, bits = 2048 Active: 1
KSK DNSKEY = spam.co.nz IN DNSKEY 257 3 8
AwEAAZ6aEkCc9D9UomiVim7NmHNTkVgOuphNdbRvjPt0Vd2XGt4dCUiICF2uErZUIADb5TC08d4
nS2Wo4W0sN8CjQj3ij4IKCAeKoQiejxvBsLp5nVqf8RS9dRN8FLvbPsfBjVPFB4MKSfWz9VpMnn
BMlJyWOgRaExKY0FR4Ydy3qH3aiHVq+jw941N/bXiQcYzWHzY4VhluD+T+nW4N1IuEp/6rs0tIY
bXp/GRm1VoxADY3wfv2VmLI6MZ0zLSf5UEYu+/vVFkJGLAGDuDKH8jEYc4Bu4h8fFHYycQisHEE
BbCSoXmbvWudjFd3CX0QF2fODtEZQWJuEkBTfbsJxLcvEzk=
DS = spam.co.nz IN DS 60754 8 1 78650a091d44b6a7a8878fcdd2971d283b3ea364
DS = spam.co.nz IN DS 60754 8 2
8ef196e23b9ba831438763962618db627202027a53ac4f3d605ce6aab8c87e57

ID = 19 (ZSK), tag = 38065, algo = 8, bits = 1024 Active: 0
ID = 20 (ZSK), tag = 28923, algo = 8, bits = 1024 Active: 0


Older KSK is there (deactivated)
New KSK in there (good)
2 ZSK's (both deactivated)


ordername is not blanked out for the domain either for each RR but that’s
less important as it won't make any difference (maybe)


Thanks
Craig






More information about the Pdns-users mailing list