[Pdns-users] DNSSEC same key for all

azurit at pobox.sk azurit at pobox.sk
Mon May 20 09:09:25 UTC 2019 

Ok, thanks everyone for suggestions!

azur





Citát frank+pdns--- via Pdns-users <pdns-users at mailman.powerdns.com>:

> Hi Azur,
>
> Ha, indeed, it seems they did…
>
> Best practise would still be to have a 1:1 relationship between a  
> keyset and a domain, so create a new keyset for every dnssec-domain.
>
> If you do want to reuse your dnssec keys, you have a few options:
>
> - fiddle with the custom query options in pdns.conf to return “the  
> correct record” for a domain, maybe based on a view in the db?
>
> - keep the “golden” cryptokey you want to use somewhere in your  
> code, and use the API or the DB to insert that particular key as the  
> domain’s cryptokey. Disadvantage: whenever you want to change the  
> key, you’d have to update all the cryptokey records
>
> - rethink everything, go the recommended route and use a different  
> DS/KEYSET for every domain (which means creating a new KEYSET for  
> every domain)
>
> Kind Regards,
>
> Frank Louwers
> Certified PowerDNS Consultant @ Kiwazo.be <http://kiwazo.be/>
>
>
>
>
>
>
>
>> On 20 May 2019, at 10:41, azurit at pobox.sk <mailto:azurit at pobox.sk> wrote:
>>
>> Hi Frank,
>>
>> it's mandatory for .CZ domains, so if you don't sign every domain  
>> with the same key, you need to register a KEYSET for every domain.  
>> So this is what i'm trying to solve.
>>
>>
>>
>>
>>
>> Citát frank+pdns--- via Pdns-users <pdns-users at mailman.powerdns.com  
>> <mailto:pdns-users at mailman.powerdns.com>>:
>>
>>> Hi Azur,
>>>
>>> It’s possible to do so, by manipulating the database directly (see  
>>> the cryptokeys table).
>>>
>>> However, let’s take a step back: what problem are you trying to  
>>> solve? As far as I know, there’s not a single TLD where the use of  
>>> KEYSETs is mandatory. Some offer it as an extra feature, but I am  
>>> not aware of any TLD where this would be mandatory.
>>>
>>> Kind Regards,
>>>
>>> Frank Louwers
>>> Certified PowerDNS Consultant @ Kiwazo.be <http://kiwazo.be/>
>>> _______________________________________________
>>> Pdns-users mailing list
>>> Pdns-users at mailman.powerdns.com <mailto:Pdns-users at mailman.powerdns.com>
>>> https://mailman.powerdns.com/mailman/listinfo/pdns-users  
>>> <https://mailman.powerdns.com/mailman/listinfo/pdns-users>
>>
>>
>>
>> _______________________________________________
>> Pdns-users mailing list
>> Pdns-users at mailman.powerdns.com <mailto:Pdns-users at mailman.powerdns.com>
>> https://mailman.powerdns.com/mailman/listinfo/pdns-users  
>> <https://mailman.powerdns.com/mailman/listinfo/pdns-users>

More information about the Pdns-users mailing list