[Pdns-users] MyDNS-Bind Migration and DNSSEC

Mark Scholten mark at streamservice.nl
Sat Dec 14 21:15:20 UTC 2013

Hello Eric,


You can run the tool "pdnssec" with option "show-zone" and the domain, eg:
pdnssec show-zone highoctanebrands.com


This shows the information the registry needs (DS and DNSKEY is shown). You
should only upload the key signing key and not the zone signing key. Weekly
zone signing key rollover is fully automated with PowerDNS (and keys are 2
or 3 weeks valid (if I'm correct).


You can assign multiple keys to 1 zone for key rollover and if you take
enough time it should work without problems (I didn't test it). For secure
transfers it is also possible to add another DNSKEY in your zone.


Kind regards,


Mark Scholten


From: pdns-users-bounces at mailman.powerdns.com
[mailto:pdns-users-bounces at mailman.powerdns.com] On Behalf Of Eric Haskins
Sent: 13 December, 2013 18:30
To: pdns-users at mailman.powerdns.com
Subject: Re: [Pdns-users] MyDNS-Bind Migration and DNSSEC




    Thank You we did manage to get it to work via auth = 1.  I have one
other question in regards to the DS and DNSKEY records from a registry
perspective ICANN requires registrars to provide a mechanism allowing a
domain owner to secure a zone.  The registrar has to submit the DS and
DNSKEY values to the registrar via API is there a way to get these records
since it appears PowerDNS is building on the fly when requested?? This and
Rollover are our last hurdles  


Thx again Peter 

Eric Haskins

High Octane Brands LLC
PHP/MySQL Developers ~ E-Commerce Specialists

Magento, OpenCart, WorpPress Optimized Hosting

978-905-9603 Cell


On Fri, Dec 13, 2013 at 12:11 PM, Peter van Dijk
<peter.van.dijk at netherlabs.nl> wrote:

Hello Eric,

On Dec 13, 2013, at 17:42 , Eric Haskins wrote:

>       I am in the middle of migration testing for 330K Domains and 1.8
Million records from a MyDNS with a Bind Mysql backend   to PowerDNS with
PDNSSEC with gmysql backend,   We have had no issue migrating zones and
records after creating the scripts. Our issue lies in serving the zones.
> I am finding unless I run pdnssec rectify-zone xyz.com  I will see this in
monitor and no answer will be provided
> Dec 13 09:58:35 Should not get here (xyz.com|1): please run pdnssec
> Upon running rectify-zone all behaves properly.  I thought I could run
Normal and Secured zones on one server?   We are inserting NULL in
ordername and auth could this be the cause?

You have a few options:
1) remove gmysql-dnssec from your configuration. This will fully disable
DNSSEC, and also disable all features that use the domainmetadata table. It
will also make PowerDNS ignore ordername and auth and this error will go
2) keep gmysql-dnssec, and "fake up" ordername and auth. For non-DNSSEC
domains, put 1 in auth. ordername is ignored so NULL is a good value for it.

If you do want to support DNSSEC for (some) domains, please read
http://doc.powerdns.com/html/dnssec-modes.html#dnssec-direct-database very
carefully and/or use rectify-zone after zone data changes.

Kind regards,
Peter van Dijk
Netherlabs Computer Consulting BV - http://www.netherlabs.nl/

Pdns-users mailing list
Pdns-users at mailman.powerdns.com


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20131214/3185c590/attachment-0001.html>

More information about the Pdns-users mailing list