[Pdns-users] knowing the DNSKEY

Gilles Massen gilles.massen at restena.lu
Wed Aug 21 09:30:53 UTC 2013

Hi Peter,

>> For our provisioning system I need to know the DNSKEY of a zone quickly
>> after the zone has been created (ideally the DS...). When assigning a
>> key to a domain (in the DB backend), it takes a few seconds before
>> PowerDNS actually serves the DNSKEY. What is the maximum delay for the
>> DNSKEY to show up?
> Unless you queried the DNSKEY before you created the zone, ...

Ah, that could have been the case. How long is the internal NX cache
(worst case)? Is that the same for any records or zone related
information (like the existence of keys)?

> I don't really
> see a reason for there to be any delay. Can you describe your exact steps?
> Specifically, how are you creating the keys?

After making sure that I didn't query before "activating" the key,
results were immediate. What I'm doing is pregenerate keys for a dummy
zone, and put them away in a separate table (I like it tidy...). Signing
a zome is then copying the key back to cryptokeys, fixing the domain_id
and setting active=1.

>> Having the cryptokey entry, would it be easy to compute the DNSKEY,
>> without help from PowerDNS? I must confess that I couldn't figure it out
>> from the sources...
> It's an algorithm-dependent crypto operation - I would recommend against doing
> it yourself. 

That's what I feared...but agreed.

> However, be aware that 'pdnssec show-zone' will give you both DNSKEY
> and DS, and will work immediately after creating the keys.

Yes, but I pre-generate the keys and want to avoid commandline tools
during normal operation. This said, I could run it and extract/store the
DNSKEY at generation time, and compute the DS when I know which domain
it will be assigned to.


Fondation RESTENA - DNS-LU
6, rue Coudenhove-Kalergi
L-1359 Luxembourg
tel: (+352) 424409
fax: (+352) 422473

More information about the Pdns-users mailing list