[Pdns-users] bind backend and dnssec database

Philip Vanmontfort philip at smartbit.be
Thu Jul 11 14:57:13 UTC 2019


goodday,

we change the zone's regularly, but the zone's are generated with puppet.

If we use a predefined key on all servers wouldn't we get into trouble with key rollovers? for example rollover differences between name servers that are reinstalled?  Or is the only important factor the DS key (wich would be the same on all servers)?


greetings,

Philip Vanmontfort





Op 10/07/19 om 14:04 schreef frank+pdns--- via Pdns-users:
Philip,

Do you make make changes to your zones? If you don’t need to change the zone contents and your puppet is meant as a way to easily reinstall/add servers, it might make more sense to adapt your puppet manifests to:

- load the zonefile
- use pdnsutil (or the API) to add dnssec signing parameters (maybe with predefined cryptokeys if you deploy this to multiple servers and don’t use zone transfers)

That way, you don’t need to add binary blobs to your puppet repo, which defeats the purpose of “Infrastructure as Code” in my humble opinion.

Just my 2 cents…

Frank Louwers
Certified PowerDNS Consultant @ Kiwazo.be<http://Kiwazo.be>

On 10 Jul 2019, at 11:53, Philip Vanmontfort <philip at smartbit.be<mailto:philip at smartbit.be>> wrote:

Hello,

We want to put everything in one place (puppet), so that we don't have to make a backup of the database.  And we want a minimum of moving parts, that is why there is no database backend.
The setup uses native zones, so we don't do zone transfers with masters and slaves.  So i figured, with everything in puppet saves me on replication/backup of the database.

Do i understand correctly that I need to replicate the bind-dnssec-db.sqlite3 from one server (soa server?) to the others? or do i need to build a master-slave setup with zone transfers to enable a correct working of dnsssec?


best greetings,
Philip
________________________________
Van: Pdns-users <pdns-users-bounces at mailman.powerdns.com<mailto:pdns-users-bounces at mailman.powerdns.com>> namens Bjoern Franke <bjo at nord-west.org<mailto:bjo at nord-west.org>>
Verzonden: woensdag 10 juli 2019 11:12
Aan: pdns-users at mailman.powerdns.com<mailto:pdns-users at mailman.powerdns.com>
Onderwerp: Re: [Pdns-users] bind backend and dnssec database

Hi,

>
> my company is planning the migration of our authoritative name servers
> to powerdns 4.1.x  with a bind backend (managed with puppet).  this part
> is working as intended.
[...]
> The question is:
>
> can I put the |bind-dnssec-db.sqlite3| inside puppet after I secured the
> zone.  (can it be readonly from powerdns's viewpoint)
> or does powerdns need read-write acces to the |bind-dnssec-db.sqlite3|?
> (maybe for key roll over?)
>

we are running also powerdns in a puppetized way, but with MySQL as
hybrid-backend. As data is changed during key rollover, a read/write
access is needed. Why do you want to put the sqlite itself into puppet?
For the slaves?

Kind regards
Bjoern
_______________________________________________
Pdns-users mailing list
Pdns-users at mailman.powerdns.com<mailto:Pdns-users at mailman.powerdns.com>
https://mailman.powerdns.com/mailman/listinfo/pdns-users
_______________________________________________
Pdns-users mailing list
Pdns-users at mailman.powerdns.com<mailto:Pdns-users at mailman.powerdns.com>
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Frank Louwers
PowerDNS Certified Consultant @ Kiwazo.be<http://Kiwazo.be>







_______________________________________________
Pdns-users mailing list
Pdns-users at mailman.powerdns.com<mailto:Pdns-users at mailman.powerdns.com>
https://mailman.powerdns.com/mailman/listinfo/pdns-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20190711/70effe91/attachment-0001.html>


More information about the Pdns-users mailing list