[Pdns-users] Hhow to safely import a DNSSEC signed zone

Klaus Darilion klaus.darilion at nic.at
Thu Feb 13 11:59:38 UTC 2020


I have thousands of DNSSEC presigned-signed zones which I slave with PowerDNS (type='SLAVE'). I want to move all these zones to PowerDNS as type='MASTER'.

Basically this should be very simple:

For each zone:
UPDATE domains SET type='MASTER' where id=XXX;

INSERT INTO cryptokeys .... (import the currently used ZSK+KSK)

DELETE FROM records WHERE domain_id=xxx AND type IN ('TYPE65534', 'DNSKEY', 'RRSIG');

DELETE FROM domainmetadata WHERE domain_id=XXX AND kind='PRESIGNED';

I think that should be pretty safe. But I am concerned about the dnssec-key-cache and the domain-metadata-cache.

I think to be on the safe side I would need to flush those caches with the COMMIT;. Of course I could disable the caches at all, but I do not want to do this permanentely because the switch from SLAVE to MASTER is customer triggered.

So, do you have any hints on how to safely import the keys without any bogus answers of PowerDNS due to metadata and key caching?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20200213/79cac6b7/attachment.htm>

More information about the Pdns-users mailing list