[Pdns-users] Huge PDNS+DNSSEC setup-Need help

Fri Apr 13 02:51:29 UTC 2012

Hi.

Responses below (Peter or Bert, correct me if I'm wrong or not clear enough)

--
José Arthur Benetasso Villanova

On 12/04/2012, at 22:44, PARTH MONGA <kprprl at gmail.com> wrote:

> HI Friends
>
> I am new to PowerDNS and DNSSEC and i am in the installation stage of it for my organisation moving from BIND, planned to take over 5 lakh+ domains on it with dnssec enabled
> Details of the setup:
> 9 nodes mysql cluster Geographically distributed:will be using mysql as a backend and replication will be taken care by mysql
> Each PDNS running local copy of mysql
> PowerDNS version 3.0.1
> Poweradmin as gui interface
>
> Have following queries:
>
> 1-Can i have secured(DNSSEC) and unsecured zones(NORMAL ZONES) both in one PowerDNS Server having mysql as backend?
>
Yes. You should sign the zone using 'pdnssec secure-zone example.com'
or leave as is to not use dnssec. Please make sure that the auth field
in table records is set properly.

> 2-When it is advised to roll over the keys in DNSSEC secured zones.DO i have to roll over the keys each time when i make changes to a secured zone data(like changing A records or Mx Records) or it will be automatically taken care by PDNS.Please elaborate this key roll over mechanism,a lot of confusion is there..

Taken from the manual:

"PowerDNS supports serving pre-signed zones, as well as online
('live') signed operations. In the last case, Signature Rollover and
Key Maintenance are fully managed by PowerDNS."

When you add / remove records, you need to call 'pdnssec rectify-zone
example.com' to make sure that the records orders are set properly.
This is important to use NSEC, that need the record before and after
to give a signed denial of existence. As far I remember, the field
content is not use in NSEC, so you can change this at will.
>
> 3-What decides when to go for NSEC or NSEC3.Please elaborate will be a great tip for all the list users.

NSEC3 mitigate the zone listing issue, so I think that is a better
option. There is a pdns exclusive option called 'narrow', please read
the docs about it.

> 4-What is the NATIVE word in zone type.I understand master and slave,What NATIVE refers to.

NATIVE replication means any kind of replication outside DNS, like
database replication (my preferred). By your description, that's the
one you'll use.
>
> Will be posting a complete setup document once my PowerDns Cluster is up and running so all other list members as well as community can refer to it,Provided i get successful
> Wishful thinking :)
>
> Thanks & Regards
> Best Wishes
> Parth
>
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users