[Pdns-users] bind backend and dnssec database
Philip Vanmontfort
philip at smartbit.be
Tue Jul 9 14:43:29 UTC 2019
goodday powerdns-users,
my company is planning the migration of our authoritative name servers to powerdns 4.1.x with a bind backend (managed with puppet). this part is working as intended.
Now i'm investigating the possibilities to enable dnssec. I enabled this on a test server as per documentation:
pdns.conf:
bind-dnssec-db=/etc/powerdns/bind-dnssec-db.sqlite3
command's
# pdnsutil create-bind-db /etc/powerdns/bind-dnssec-db.sqlite3
# pdnsutil secure-zone <zone1>
and queries are signed. So far so good.
The question is:
can I put the bind-dnssec-db.sqlite3 inside puppet after I secured the zone. (can it be readonly from powerdns's viewpoint)
or does powerdns need read-write acces to the bind-dnssec-db.sqlite3? (maybe for key roll over?)
and if it has to be read-write, do I have to replicate the bind-dnssec-db.sqlite3 to my other auth nameservers or do I keep the bind-dnssec-db.sqlite3 local per server?
the zone configuration is 'native' for al zone's, there is no master/slave setup.
thanks in advance,
Philip
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20190709/77a1891c/attachment.html>
More information about the Pdns-users
mailing list