[Pdns-users] DNSSEC same key for all

frank+pdns at tembo.be frank+pdns at tembo.be
Mon May 20 09:01:26 UTC 2019


Hi Azur,

Ha, indeed, it seems they did…

Best practise would still be to have a 1:1 relationship between a keyset and a domain, so create a new keyset for every dnssec-domain.

If you do want to reuse your dnssec keys, you have a few options:

- fiddle with the custom query options in pdns.conf to return “the correct record” for a domain, maybe based on a view in the db?

- keep the “golden” cryptokey you want to use somewhere in your code, and use the API or the DB to insert that particular key as the domain’s cryptokey. Disadvantage: whenever you want to change the key, you’d have to update all the cryptokey records

- rethink everything, go the recommended route and use a different DS/KEYSET for every domain (which means creating a new KEYSET for every domain)

Kind Regards,

Frank Louwers
Certified PowerDNS Consultant @ Kiwazo.be <http://kiwazo.be/>







> On 20 May 2019, at 10:41, azurit at pobox.sk <mailto:azurit at pobox.sk> wrote:
> 
> Hi Frank,
> 
> it's mandatory for .CZ domains, so if you don't sign every domain with the same key, you need to register a KEYSET for every domain. So this is what i'm trying to solve.
> 
> 
> 
> 
> 
> Citát frank+pdns--- via Pdns-users <pdns-users at mailman.powerdns.com <mailto:pdns-users at mailman.powerdns.com>>:
> 
>> Hi Azur,
>> 
>> It’s possible to do so, by manipulating the database directly (see the cryptokeys table).
>> 
>> However, let’s take a step back: what problem are you trying to solve? As far as I know, there’s not a single TLD where the use of KEYSETs is mandatory. Some offer it as an extra feature, but I am not aware of any TLD where this would be mandatory.
>> 
>> Kind Regards,
>> 
>> Frank Louwers
>> Certified PowerDNS Consultant @ Kiwazo.be <http://kiwazo.be/>
>> _______________________________________________
>> Pdns-users mailing list
>> Pdns-users at mailman.powerdns.com <mailto:Pdns-users at mailman.powerdns.com>
>> https://mailman.powerdns.com/mailman/listinfo/pdns-users <https://mailman.powerdns.com/mailman/listinfo/pdns-users>
> 
> 
> 
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com <mailto:Pdns-users at mailman.powerdns.com>
> https://mailman.powerdns.com/mailman/listinfo/pdns-users <https://mailman.powerdns.com/mailman/listinfo/pdns-users>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20190520/c51a97a9/attachment.html>


More information about the Pdns-users mailing list