[Pdns-users] Best way of replication

Peter Thomassen peter at desec.io
Tue May 19 12:52:23 UTC 2015


I am running a hidden primary and two slaves which are exposed to the
public. I would like to use DNSSEC, and keep the private keys on the
hidden primary. I'm using the MySQL backend.

As far as I know, there are two (or more?) ways to set up replication:

- AXFR-based. In this case, private keys are not transmitted to the slaves.

- MySQL replication. In this case, the whole database is replicted,
including the private keys.

MySQL replication seems to be more reliable to me than AXFR replication
(I observed occasional timeouts with AXFR zone updates, especially
intercontinentally), and also more real-time.

I am looking for a reliable way of replication without replicating
private keys. I can think of two ways:

- Set up PowerDNS to write RRSIG etc. records to the records table (i.e.
"managed DNSSEC" like in live mode, but saved to the database). Then,
replicate only certain MySQL tables. Is it possible to set up PowerDNS
in this way>?

- Run a second PowerDNS instance locally (along with the hidden primary)
which retrieves zones via AXFR, hopefully very reliably (since locally),
and then use MySQL replication from this instance to the public slaves.

Which way do you think is best? Are there any other ways to achieve this?


OpenPGP Key: 0x3EF22D2F

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20150519/225a053e/attachment.sig>

More information about the Pdns-users mailing list