[Pdns-users] Question concerning multible database backends

Posner, Sebastian s.posner at telekom.de
Wed Oct 26 14:26:07 UTC 2011


Hi,

is it possible to influence which kind of data is stored in which 
database backends?

Background of the question: 

When doing database-level replication of DNS content, everything 
that's in the database is replicated, right?

If you add DNSSEC, part of this is the DNSSEC private key material.

Definately *not* what I want to be accessible or even distributed to
all of my DNS platforms' servers, especially not if I want to have 
signing done by a hidden master.


To me, this means I currently have the following choices:
- Use database replication, and have all private key material 
  distributed to all nameservers
- Use default AXFR instead of database replication to get zones 
  transferred from this machines to the rest of the world, to 
  prevent the key material to be spread
- Try to hack something on database level that filters out key
  material and only distributes the "public parts" of the database


With the possibility to say "use this database backend for private 
key material only", I could use another databse backend to store
the signed zones, replicate this database and nonetheless neither
spread my private keys nor need to hack something nor say byebye 
to database replication simplicity.


Or am I greatly mistaken somehere?

kind regards,

Sebastian



More information about the Pdns-users mailing list