[Pdns-users] Huge PDNS+DNSSEC setup-Need help (Peter van Dijk)

PARTH MONGA kprprl at gmail.com
Sun Apr 15 13:00:31 UTC 2012


HI Peter

So as you said key rollovers are not mandate,so that means if i created ksk
and zsk for a domain so that will last long during a zone lifecycle till
its live and secured
So i am new to dnssec can you please give me the best practice in handling
keys like when should i intentionally go for a key rollover and which key
is to be rollovered ksk or zsk or both and how frequent.
Please show some light on this.

Thanks & Regards
Parth Monga
Net4 India Ltd


Date: Fri, 13 Apr 2012 13:30:37 +0200
From: Peter van Dijk <peter.van.dijk at netherlabs.nl>
Subject: Re: [Pdns-users] Pdns-users Digest, Vol 111, Issue 16
To: pdns-users Users <pdns-users at mailman.powerdns.com>
Message-ID: <A0334D1A-2895-48D1-A60B-2E11B7C9AEC0 at netherlabs.nl>
Content-Type: text/plain; charset=iso-8859-1

Hi,

On Apr 13, 2012, at 13:25 , PARTH MONGA wrote:

> Hi Peter
>
> Can you please also update me about
> how to set NSEC3 narrow settings for a secured zone and how to do the
same in NSEC3 inclusive mode.

Please read
http://doc.powerdns.com/pdnssec.html
http://doc.powerdns.com/domainmetadata.html

> And as Jose said in the very first reply,Can you please confirm me that
do i have to perform a key rollover if i make any changes in a secure zone
or PDNS manages that part automatically.

Key rollovers are never mandatory (except when changing from NSEC to NSEC3
on a domain where DS records have already been published to the parent).
PDNS does not manage key rollovers automatically, by the way.

Kind regards,
--
Peter van Dijk
Netherlabs Computer Consulting BV - http://www.netherlabs.nl/

On Sat, Apr 14, 2012 at 3:30 PM, <pdns-users-request at mailman.powerdns.com>
 wrote:

> Send Pdns-users mailing list submissions to
>        pdns-users at mailman.powerdns.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        http://mailman.powerdns.com/mailman/listinfo/pdns-users
> or, via email, send a message with subject or body 'help' to
>        pdns-users-request at mailman.powerdns.com
>
> You can reach the person managing the list at
>        pdns-users-owner at mailman.powerdns.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Pdns-users digest..."
>
>
> Today's Topics:
>
>   1. Re: Pdns-users Digest, Vol 111, Issue 16 (PARTH MONGA)
>   2. Re: Pdns-users Digest, Vol 111, Issue 16 (Peter van Dijk)
>   3. Re: Strange recursor TTL behaviour for specific host
>      (Wouter de Jong)
>   4. Re: Strange recursor TTL behaviour for specific host
>      (Peter van Dijk)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 13 Apr 2012 16:55:10 +0530
> From: PARTH MONGA <kprprl at gmail.com>
> Subject: Re: [Pdns-users] Pdns-users Digest, Vol 111, Issue 16
> To: pdns-users at mailman.powerdns.com
> Cc: peter.van.dijk at netherlabs.nl
> Message-ID:
>        <CACBBYcN_nV0PMZNhH7SCQ3dcxLx2p60V2_jPm=RWtxtx+akk3g at mail.gmail.com
> >
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hi Peter
>
> Thanks a lot for the valuable input.
> Appreciated!!!!!!!
> So i think am close to wrap up my installation with 9 nodes in the cluster
> Can you please also update me about
> how to set NSEC3 narrow settings for a secured zone and how to do the same
> in NSEC3 inclusive mode.
>
> And as Jose said in the very first reply,Can you please confirm me that do
> i have to perform a key rollover if i make any changes in a secure zone or
> PDNS manages that part automatically.
>
> Info would of great help in my setup.
> Really appreciated your's and jose input on my queries
>
> Thanks a lot
>
> Best Regards
> Parth Monga
>
> > 2-When it is advised to roll over the keys in DNSSEC secured zones.DO i
> have to roll over the keys each time when i make changes to a secured zone
> data(like changing A records or Mx Records) or it will be automatically
> taken care by PDNS.Please elaborate this key roll over mechanism,a lot of
> confusion is there..
>
> Taken from the manual:
>
> "PowerDNS supports serving pre-signed zones, as well as online
> ('live') signed operations. In the last case, Signature Rollover and
> Key Maintenance are fully managed by PowerDNS."
>
> When you add / remove records, you need to call 'pdnssec rectify-zone
> example.com' to make sure that the records orders are set properly.
> This is important to use NSEC, that need the record before and after
> to give a signed denial of existence. As far I remember, the field
> content is not use in NSEC, so you can change this at will.
> >
>
>
> On Fri, Apr 13, 2012 at 3:30 PM, <pdns-users-request at mailman.powerdns.com
> >wrote:
>
> > Send Pdns-users mailing list submissions to
> >        pdns-users at mailman.powerdns.com
> >
> > To subscribe or unsubscribe via the World Wide Web, visit
> >        http://mailman.powerdns.com/mailman/listinfo/pdns-users
> > or, via email, send a message with subject or body 'help' to
> >        pdns-users-request at mailman.powerdns.com
> >
> > You can reach the person managing the list at
> >        pdns-users-owner at mailman.powerdns.com
> >
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of Pdns-users digest..."
> >
> >
> > Today's Topics:
> >
> >   1. Re: Huge PDNS+DNSSEC setup-Need help (Peter van Dijk)
> >
> >
> > ----------------------------------------------------------------------
> >
> > Message: 1
> > Date: Fri, 13 Apr 2012 10:58:00 +0200
> > From: Peter van Dijk <peter.van.dijk at netherlabs.nl>
> > Subject: Re: [Pdns-users] Huge PDNS+DNSSEC setup-Need help
> > To: pdns-users Users <pdns-users at mailman.powerdns.com>
> > Message-ID: <883423D7-537D-472A-A01E-A7FBAF4144B7 at netherlabs.nl>
> > Content-Type: text/plain; charset=iso-8859-1
> >
> > Hi,
> >
> > On Apr 13, 2012, at 10:37 , PARTH MONGA wrote:
> >
> > > That for sure i will go with NSEC3 but whom to actually  hit
> > > NSEC3-inclusive or NSEC3-narrow
> > >
> > > Please advice as not able to figure the difference between both NSEC3
> > modes.
> >
> > Benefits of narrow mode:
> > - order name field does not matter (auth field still does)
> > - no brute forcing calculation of names in your zones
> >
> > Downsides of narrow mode:
> > - you cannot have AXFR slaves, all slaves need to be NATIVE (which would
> > work for you)
> >
> > Benefits of inclusive mode:
> > - behaviour is closer to what other name servers do, easier to understand
> > when you get a DNSSEC expert to debug something
> > - receives more testing than narrow
> >
> > Kind regards,
> > --
> > Peter van Dijk
> > Netherlabs Computer Consulting BV - http://www.netherlabs.nl/
> >
> >
> >
> > ------------------------------
> >
> > _______________________________________________
> > Pdns-users mailing list
> > Pdns-users at mailman.powerdns.com
> > http://mailman.powerdns.com/mailman/listinfo/pdns-users
> >
> >
> > End of Pdns-users Digest, Vol 111, Issue 16
> > *******************************************
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://mailman.powerdns.com/pipermail/pdns-users/attachments/20120413/dcdc8ac7/attachment.html
> >
>
> ------------------------------
>
> Message: 2
> Date: Fri, 13 Apr 2012 13:30:37 +0200
> From: Peter van Dijk <peter.van.dijk at netherlabs.nl>
> Subject: Re: [Pdns-users] Pdns-users Digest, Vol 111, Issue 16
> To: pdns-users Users <pdns-users at mailman.powerdns.com>
> Message-ID: <A0334D1A-2895-48D1-A60B-2E11B7C9AEC0 at netherlabs.nl>
> Content-Type: text/plain; charset=iso-8859-1
>
> Hi,
>
> On Apr 13, 2012, at 13:25 , PARTH MONGA wrote:
>
> > Hi Peter
> >
> > Can you please also update me about
> > how to set NSEC3 narrow settings for a secured zone and how to do the
> same in NSEC3 inclusive mode.
>
> Please read
> http://doc.powerdns.com/pdnssec.html
> http://doc.powerdns.com/domainmetadata.html
>
> > And as Jose said in the very first reply,Can you please confirm me that
> do i have to perform a key rollover if i make any changes in a secure zone
> or PDNS manages that part automatically.
>
> Key rollovers are never mandatory (except when changing from NSEC to NSEC3
> on a domain where DS records have already been published to the parent).
> PDNS does not manage key rollovers automatically, by the way.
>
> Kind regards,
> --
> Peter van Dijk
> Netherlabs Computer Consulting BV - http://www.netherlabs.nl/
>
>
>
> ------------------------------
>
> Message: 3
> Date: Fri, 13 Apr 2012 17:59:08 +0200
> From: Wouter de Jong <wouter at widexs.nl>
> Subject: Re: [Pdns-users] Strange recursor TTL behaviour for specific
>        host
> To: pdns-users Users <pdns-users at mailman.powerdns.com>
> Message-ID: <20120413155907.GA57124 at widexs.nl>
> Content-Type: text/plain; charset=us-ascii
>
> Hi Peter,
>
> On Thu, Apr 12, 2012 at 08:09:01PM +0200, Peter van Dijk wrote:
>
> > > As you can see, TTL 37 -> 34 -> 30 -> 27 -> 24 -> 32
> > >
> > > I'm wondering what could be causing this ?
> >
> > Try threads=1 in recursor.conf. If that causes it, there is no need for
> alarm :)
>
> Great, that seems to explain it indeed :)
>
> Apparently, default threads= setting > 1 ?
>
> Best regards,
>
> Wouter
>
>
> ------------------------------
>
> Message: 4
> Date: Sat, 14 Apr 2012 11:10:39 +0200
> From: Peter van Dijk <peter.van.dijk at netherlabs.nl>
> Subject: Re: [Pdns-users] Strange recursor TTL behaviour for specific
>        host
> To: pdns-users Users <pdns-users at mailman.powerdns.com>
> Message-ID: <A7CBB02F-94E3-44F8-8C76-780F06C77693 at netherlabs.nl>
> Content-Type: text/plain; charset=us-ascii
>
> Hi Wouter,
>
> On Apr 13, 2012, at 17:59 , Wouter de Jong wrote:
>
> > Apparently, default threads= setting > 1 ?
>
>
> Yes - see 'pdns_recursor --config' for all defaults.
>
> Kind regards,
> --
> Peter van Dijk
> Netherlabs Computer Consulting BV - http://www.netherlabs.nl/
>
>
>
> ------------------------------
>
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>
>
> End of Pdns-users Digest, Vol 111, Issue 17
> *******************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20120415/df744e07/attachment.html>


More information about the Pdns-users mailing list