[Pdns-users] Different RRSIG's on master and slaves

Peter van Dijk peter.van.dijk at netherlabs.nl
Thu Sep 26 08:16:16 UTC 2013


Hello,

On Sep 26, 2013, at 9:37 , Posner, Sebastian wrote:

>> -----Urspr√ľngliche Nachricht-----
>> Von: pdns-users-bounces at mailman.powerdns.com [mailto:pdns-users-
>> bounces at mailman.powerdns.com] Im Auftrag von mvdgeijn
>> Gesendet: Mittwoch, 25. September 2013 11:51
>> An: pdns-users at mailman.powerdns.com
>> Betreff: Re: [Pdns-users] Different RRSIG's on master and slaves
>> 
>> On both the master and slave servers "pdnssec show-zone" shows that
>> the zone is not pre-signed.
> 
> CMIIW, but if replication is done via AXFR, zone MUST be set to pre-signed 
> on all slaves, otherwise they will start signing it on their own, using 
> self-generated key material.

This is mostly correct. These days, PowerDNS sets the pre signed flag automatically when needed. Also, PowerDNS will never automatically sign - only if the admin adds keys, usually through 'pdnssec secure-zone'.

> You can only have the zone non-presigned on multiple servers if replication
> is provided within the dnssec-capable backend, because the cryptokeys-table
> MUST be replicated to all live-signing servers. And AXFR can't do that.

Indeed!

Kind regards,
-- 
Peter van Dijk
Netherlabs Computer Consulting BV - http://www.netherlabs.nl/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20130926/742d89be/attachment-0001.sig>


More information about the Pdns-users mailing list