[Pdns-users] Security of DNSSEC signing (was: New to PowerDNS)

Michael Ströder michael at stroeder.com
Thu Jun 26 23:26:07 UTC 2014

ktm at rice.edu wrote:
> On Thu, Jun 26, 2014 at 10:21:06PM +0100, Jorge Bastos wrote:
>> For the DNSSEC part, is there a way to create the DNSSEC information just by SQL ?
>> If not, the solution is to run "pdnssec secure-zone ZONE" in a loop on a cron script, am I right?
> I do not know about a SQL only solution for MySQL DNSSEC signing, but I
> know that there is a sample schema for Oracle that includes the needed
> triggers and functions and that I have a basically complete version of
> the same for PostgreSQL that I will be submitting to the PDNS folks once
> we have it vetted for production.

Hmm, am I the only one who is concerned about the security of the signing process?

Please don't get me wrong. But people are advocating DANE nowadays and aim to
completely replace X.509 certs with that. So security of the signed RRs is
crucial just like issuing X.509 certs. And yes, I know that it's hard to
achieve a higher level of operational security.

Ciao, Michael.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2398 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20140627/187ec668/attachment-0001.bin>

More information about the Pdns-users mailing list