[Pdns-users] Questions on powerdnssec

bert hubert bert.hubert at netherlabs.nl
Mon May 9 13:47:44 UTC 2011


On Mon, May 09, 2011 at 02:24:05PM +0100, Chris Russell wrote:
>  Firstly,  when using an external server as a recursor; can this be an IPv6 host ?   I have the auth server forwarding  to bind for any recursive queries, this works when I specify the bind IPv4 address, but not the IPv6 address. Both queries work fine if querying bind from the pdns server directly using dig on ipv4 or ipv6.

As of 2191 (now building) this can be IPv6 too. Odd that we missed it!

>  Secondly, when using powerdns secure-zone and the gmysql backend, I`m
> guessing rectify-zone must be ran whenever any records are created to
> resign the zone.  This being the case, does this lead to having a hidden
> master (ie: non publicly accessable) host or db in order to be slightly
> more secure [making the running of the signing process hidden] ?

There is no need to run rectify zone each time, as long as 'auth' and
'ordername' are filled out correctly. 

This is detailed in
http://doc.powerdns.com/dnssec-modes.html#dnssec-direct-database

A hidden master is indeed more secure since it separates the server from the keying material.

>  Finally, Is there any documentation of the validity length of the keys,
> or do these rollover automatically ?

The keys remain where they are, unless you roll them over.
http://doc.powerdns.com/powerdnssec.html explains the idea behind this,
where you have 'active' and 'passive' keys. 

http://doc.powerdns.com/dnssec-operational-doctrine.html#zsk-rollover also
has some sample command lines.

It appears there is very little benefit to automated key rollovers (unlike
say automated signature rollovers, which are very necessary).

>  Bert as you thought, this build this resolves the issue I had with mysql
> going away and the server taking a while to reconnect.  Its serving
> records from the cache just fine.

Great to hear!

	Bert



More information about the Pdns-users mailing list