[Pdns-users] dnssec workflow

Pieter Lexis pieter.lexis at powerdns.com
Tue Jan 15 09:02:23 UTC 2019 

Hi Mike,

Many questions, let's go through them one-by-one.

On 1/14/19 7:22 PM, mike+lists at yourtownonline.com wrote:
>     I have been experimenting with dnssec and powerdns. I have a domain
> singed, ds records at my registrar, all looks good and it passes tests
> on various dnssec validation sites. What Im not clear about however, is
> what is the workflow needed for ongoing maintenance?

No, PowerDNS automatically refreshes the DNSSEC signatures every
week[1]. If you slave(s) are PowerDNS, they will re-transfer the zone if
they see the signatures change (even when the SOA serial is not
increased). If you slave(s) are not PowerDNS, you'll need to set the
default-soa-edit-signed setting[2] to something that makes sense for
your SOA serial[3].

> I don't understand
> automatic key expiration and whether or if I must care.

(note, this is an opinion) You'll only need to rotate your keys when
they are compromised. PowerDNS itself does not support automatically
rotating keys, but it can be done manually (and those steps could be
automated by you)[4,5]

> Also, I don't
> see why or if I need to care about having zsk and ksk in my zone; seems
> to work without, unless these are pertaining to domains I sub-delegate?

Having a ZSK means that you can roll that key without notifying your
parent zone/registrar. If you don't plan on rotating (often), a single
key (known as a CSK, combined signing key) is fine.

> And, if I decide that my existing ds at my registrar has aged
> sufficiently, what is the procedure for replacement that keeps my domain
> valid thru the rollover?

See [4].

>     Im sorry, it's just that some of these topics are not really covered
> well...

They are, but I admit the documentation is a bit messy. If you have an
idea on how to improve this, please let us know via an issue[6]. Or,
even better, open a pull-request with the changes.

I hope this clarifies things for you. If not, feel free to respond on
the mailinglist and we'll be happy to help.

Cheers,

Pieter

1 -
https://doc.powerdns.com/authoritative/dnssec/modes-of-operation.html#signatures
2 -
https://doc.powerdns.com/authoritative/settings.html#default-soa-edit-signed
3 -
https://doc.powerdns.com/authoritative/dnssec/operational.html#soa-edit-ensure-signature-freshness-on-slaves
4 - https://doc.powerdns.com/authoritative/guides/kskroll.html
5 - https://doc.powerdns.com/authoritative/guides/zskroll.html
6 - https://github.com/PowerDNS/pdns/issues/new

-- 
Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com

More information about the Pdns-users mailing list