[Pdns-users] trying to understand pdns and dnssec
Eric Beck
ericbeck at cadns.ca
Wed Nov 8 16:59:10 UTC 2017
Hello All,
New at PowerDNS. Implemented pdns Centos 7, native mysql setup.
MariaDB 10.2.10, PowerDNS 4.1rc2
We are using .ca domains for testing. We have run
pdnsutil secure-zone ZONE on two domains now with success after
submitting DNSKEY+DS(sha256) to CIRA.
My question is concerning key rollovers. It is my understanding that
pdns uses inline signing (which I'm not sure I completely understand
yet), but the gist of what I understand is that
for domain.ca (changed for security)
1. DNSKEY does not change
2. DS record at CIRA (registry) does not change
3. RRSIG records created on the fly, and will rollover automatically?
example below
domain.ca. 120 IN RRSIG A 13 2 120
20171116000000 20171026000000 6782 domain.ca.
8VbQZdC61XGIVIOjq4WVrpWne+Hr9dx9LlKAWgmmgYNjMC8DeFro1MsW
6XUdp6pujunpmKzVZ+xxxxxxxxxxPQ==
What I don't understand, is that this particular domain we just secured
today. The RRSIG expiry is 16 Nov. and it says the valid from is Oct. 26.
I don't get that. It's the same for the other domain we used to test,
but it was secured earlier, more than a few days ago, and it says the
same thing,
domain2.ca
RRSIG A 13 2 120 20171116000000 20171026000000 56566 domain2.ca.
ynIl32Wyl9theZx0Vi5u1GJS2ObDqUoLI+h7knzRjQrHpPDl/Bwesrxj
VmHWjmDunMYfxxxxxxxxxxlOUvX3Rw==
so this one still has the exact same RRSIG parameters, good til Nov. 16
and started Oct. 26
This is not making sense to me, and any help would be appreciated. I
have read and read pdns docs, dnssec docs, and this eludes my comprehension.
Am I to understand though, that the RRSIG's created by inline signing on
the fly by pdns, will automatically keep being rolled over - re-created
with newer expiry dates and good-from dates?
Thanks for any and all help.
Eric
More information about the Pdns-users
mailing list