[Pdns-users] DNSSEC live signing in complex setup

Klaus Darilion klaus.mailinglists at pernau.at
Fri May 24 16:14:19 UTC 2013


We have the following setup:

customer master
unsigned   ------------\
customer master  --AXFR---> hidden master        public name servers
presigned                /    (pdns)                   (pdns)
                         /      SLAVE                   NATIVE
                        /        |                        |
                       /     Postgresql ------------> Postgresql
                      /       Master                   Slaves
cusomter master     /
unsigned, live ----/
signing by PDNS

The PDNS hidden master receives the zones per AXFR, and stores them into 
the DB (type=SLAVE). The DB is replicated to public name servers. During 
replication the type is changed from SLAVE to NATIVE.

Currently we support unsigned and pre-signed zones. I want to add 
support for live-signing. As far as I see that shouldn't be a problem as 
I replicate all PDNS tables to the public masters. If I got it right, I 
can do all the DNSSEC configuration and management (eg rollovers) on the 
Master PDNS and the signing is actually done on the public name servers 
when answering the DNS queries - right?

I did some basic testing and everything works fine, except that the 
SOA's serial stays constant also during ZSK and KSK roll-overs. Is this 
the expected behavior? E.g. Bind in inline-signing mode increases the 
serial on roll-overs and re-signing.

Is there anything further I have to worry about? IMO it is "to easy" to 
add live signing. :-)


More information about the Pdns-users mailing list