[Pdns-users] Pdns-users Digest, Vol 111, Issue 16

PARTH MONGA kprprl at gmail.com
Fri Apr 13 11:25:10 UTC 2012

Hi Peter

Thanks a lot for the valuable input.
So i think am close to wrap up my installation with 9 nodes in the cluster
Can you please also update me about
how to set NSEC3 narrow settings for a secured zone and how to do the same
in NSEC3 inclusive mode.

And as Jose said in the very first reply,Can you please confirm me that do
i have to perform a key rollover if i make any changes in a secure zone or
PDNS manages that part automatically.

Info would of great help in my setup.
Really appreciated your's and jose input on my queries

Thanks a lot

Best Regards
Parth Monga

> 2-When it is advised to roll over the keys in DNSSEC secured zones.DO i
have to roll over the keys each time when i make changes to a secured zone
data(like changing A records or Mx Records) or it will be automatically
taken care by PDNS.Please elaborate this key roll over mechanism,a lot of
confusion is there..

Taken from the manual:

"PowerDNS supports serving pre-signed zones, as well as online
('live') signed operations. In the last case, Signature Rollover and
Key Maintenance are fully managed by PowerDNS."

When you add / remove records, you need to call 'pdnssec rectify-zone
example.com' to make sure that the records orders are set properly.
This is important to use NSEC, that need the record before and after
to give a signed denial of existence. As far I remember, the field
content is not use in NSEC, so you can change this at will.

On Fri, Apr 13, 2012 at 3:30 PM, <pdns-users-request at mailman.powerdns.com>wrote:

> Send Pdns-users mailing list submissions to
>        pdns-users at mailman.powerdns.com
> To subscribe or unsubscribe via the World Wide Web, visit
>        http://mailman.powerdns.com/mailman/listinfo/pdns-users
> or, via email, send a message with subject or body 'help' to
>        pdns-users-request at mailman.powerdns.com
> You can reach the person managing the list at
>        pdns-users-owner at mailman.powerdns.com
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Pdns-users digest..."
> Today's Topics:
>   1. Re: Huge PDNS+DNSSEC setup-Need help (Peter van Dijk)
> ----------------------------------------------------------------------
> Message: 1
> Date: Fri, 13 Apr 2012 10:58:00 +0200
> From: Peter van Dijk <peter.van.dijk at netherlabs.nl>
> Subject: Re: [Pdns-users] Huge PDNS+DNSSEC setup-Need help
> To: pdns-users Users <pdns-users at mailman.powerdns.com>
> Message-ID: <883423D7-537D-472A-A01E-A7FBAF4144B7 at netherlabs.nl>
> Content-Type: text/plain; charset=iso-8859-1
> Hi,
> On Apr 13, 2012, at 10:37 , PARTH MONGA wrote:
> > That for sure i will go with NSEC3 but whom to actually  hit
> > NSEC3-inclusive or NSEC3-narrow
> >
> > Please advice as not able to figure the difference between both NSEC3
> modes.
> Benefits of narrow mode:
> - order name field does not matter (auth field still does)
> - no brute forcing calculation of names in your zones
> Downsides of narrow mode:
> - you cannot have AXFR slaves, all slaves need to be NATIVE (which would
> work for you)
> Benefits of inclusive mode:
> - behaviour is closer to what other name servers do, easier to understand
> when you get a DNSSEC expert to debug something
> - receives more testing than narrow
> Kind regards,
> --
> Peter van Dijk
> Netherlabs Computer Consulting BV - http://www.netherlabs.nl/
> ------------------------------
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
> End of Pdns-users Digest, Vol 111, Issue 16
> *******************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20120413/dcdc8ac7/attachment.html>

More information about the Pdns-users mailing list