[Pdns-users] trying to understand pdns and dnssec

Eric Beck ericbeck at cadns.ca
Wed Nov 8 16:59:10 UTC 2017

Hello All,

New at PowerDNS.  Implemented pdns Centos 7, native mysql setup.
MariaDB 10.2.10, PowerDNS 4.1rc2

We are using .ca domains for testing.  We have run
pdnsutil secure-zone ZONE on two domains now with success after
submitting DNSKEY+DS(sha256) to CIRA.

My question is concerning key rollovers.  It is my understanding that
pdns uses inline signing (which I'm not sure I completely understand
yet), but the gist of what I understand is that

for domain.ca (changed for security)

1. DNSKEY does not change
2. DS record at CIRA (registry) does not change
3. RRSIG records created on the fly, and will rollover automatically?
example below

domain.ca.                120     IN      RRSIG   A 13 2 120
20171116000000 20171026000000 6782 domain.ca.

What I don't understand, is that this particular domain we just secured
today.  The RRSIG expiry is 16 Nov.  and it says the valid from is Oct. 26.

I don't get that.  It's the same for the other domain we used to test,
but it was secured earlier, more than a few days ago, and it says the
same thing,


RRSIG   A 13 2 120 20171116000000 20171026000000 56566 domain2.ca.

so this one still has the exact same RRSIG parameters, good til Nov. 16
and started Oct. 26

This is not making sense to me, and any help would be appreciated.  I
have read and read pdns docs, dnssec docs, and this eludes my comprehension.

Am I to understand though, that the RRSIG's created by inline signing on
the fly by pdns, will automatically keep being rolled over - re-created
with newer expiry dates and good-from dates?

Thanks for any and all help.


More information about the Pdns-users mailing list