[Pdns-users] DNSSEC live signing in complex setup
Klaus Darilion
klaus.mailinglists at pernau.at
Fri May 24 16:14:19 UTC 2013
Hi!
We have the following setup:
customer master
unsigned ------------\
\
\
customer master --AXFR---> hidden master public name servers
presigned / (pdns) (pdns)
/ SLAVE NATIVE
/ | |
/ Postgresql ------------> Postgresql
/ Master Slaves
cusomter master /
unsigned, live ----/
signing by PDNS
The PDNS hidden master receives the zones per AXFR, and stores them into
the DB (type=SLAVE). The DB is replicated to public name servers. During
replication the type is changed from SLAVE to NATIVE.
Currently we support unsigned and pre-signed zones. I want to add
support for live-signing. As far as I see that shouldn't be a problem as
I replicate all PDNS tables to the public masters. If I got it right, I
can do all the DNSSEC configuration and management (eg rollovers) on the
Master PDNS and the signing is actually done on the public name servers
when answering the DNS queries - right?
I did some basic testing and everything works fine, except that the
SOA's serial stays constant also during ZSK and KSK roll-overs. Is this
the expected behavior? E.g. Bind in inline-signing mode increases the
serial on roll-overs and re-signing.
Is there anything further I have to worry about? IMO it is "to easy" to
add live signing. :-)
Thanks
Klaus
More information about the Pdns-users
mailing list