[Pdns-users] DNSSEC live signing in complex setup

Jan-Piet Mens jpmens.dns at gmail.com
Fri May 24 16:49:24 UTC 2013


> I did some basic testing and everything works fine, except that the
> SOA's serial stays constant also during ZSK and KSK roll-overs. Is
> this the expected behavior? E.g. Bind in inline-signing mode
> increases the serial on roll-overs and re-signing.

Have you looked at (and tweaked) the SOA-EDIT domainmetadata? You set it
on a per/zone basis, and it bumps the SOA serial number in one of
several formats for you.

> Is there anything further I have to worry about? IMO it is "to easy"
> to add live signing. :-)

My head is a bit woozy, so I haven't very carefully studied your
message, but no: it is indeed very easy to add live signing to PowerDNS :)


More information about the Pdns-users mailing list