[Pdns-users] DNSSEC same key for all
frank+pdns at tembo.be
frank+pdns at tembo.be
Mon May 20 09:01:26 UTC 2019
Ha, indeed, it seems they did…
Best practise would still be to have a 1:1 relationship between a keyset and a domain, so create a new keyset for every dnssec-domain.
If you do want to reuse your dnssec keys, you have a few options:
- fiddle with the custom query options in pdns.conf to return “the correct record” for a domain, maybe based on a view in the db?
- keep the “golden” cryptokey you want to use somewhere in your code, and use the API or the DB to insert that particular key as the domain’s cryptokey. Disadvantage: whenever you want to change the key, you’d have to update all the cryptokey records
- rethink everything, go the recommended route and use a different DS/KEYSET for every domain (which means creating a new KEYSET for every domain)
Certified PowerDNS Consultant @ Kiwazo.be <http://kiwazo.be/>
> On 20 May 2019, at 10:41, azurit at pobox.sk <mailto:azurit at pobox.sk> wrote:
> Hi Frank,
> it's mandatory for .CZ domains, so if you don't sign every domain with the same key, you need to register a KEYSET for every domain. So this is what i'm trying to solve.
> Citát frank+pdns--- via Pdns-users <pdns-users at mailman.powerdns.com <mailto:pdns-users at mailman.powerdns.com>>:
>> Hi Azur,
>> It’s possible to do so, by manipulating the database directly (see the cryptokeys table).
>> However, let’s take a step back: what problem are you trying to solve? As far as I know, there’s not a single TLD where the use of KEYSETs is mandatory. Some offer it as an extra feature, but I am not aware of any TLD where this would be mandatory.
>> Kind Regards,
>> Frank Louwers
>> Certified PowerDNS Consultant @ Kiwazo.be <http://kiwazo.be/>
>> Pdns-users mailing list
>> Pdns-users at mailman.powerdns.com <mailto:Pdns-users at mailman.powerdns.com>
>> https://mailman.powerdns.com/mailman/listinfo/pdns-users <https://mailman.powerdns.com/mailman/listinfo/pdns-users>
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com <mailto:Pdns-users at mailman.powerdns.com>
> https://mailman.powerdns.com/mailman/listinfo/pdns-users <https://mailman.powerdns.com/mailman/listinfo/pdns-users>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Pdns-users