[Pdns-users] Hhow to safely import a DNSSEC signed zone
klaus.mailinglists at pernau.at
Sat Feb 22 22:21:20 UTC 2020
Answering myself after reading the code: The trick is to do below steps
NOT in a single transaction but one step after other, considering the
respective cache TTLs.
PowerDNS priorizes presigned zones over self signing. Hence, the correct
UPDATE domains SET type='MASTER' where id=XXX;
INSERT INTO cryptokeys .... (import the currently used ZSK+KSK);
DELETE FROM domainmetadata WHERE domain_id=XXX AND kind='PRESIGNED';
DELETE FROM records WHERE domain_id=xxx AND type IN
Eventually tweak the domainmetadata, ie. for serial bumping. Also make
sure that there are no zone changes while doing above process.
Am 13.02.2020 um 12:59 schrieb Klaus Darilion via Pdns-users:
> I have thousands of DNSSEC presigned-signed zones which I slave with
> PowerDNS (type='SLAVE'). I want to move all these zones to PowerDNS as
> Basically this should be very simple:
> For each zone:
> UPDATE domains SET type='MASTER' where id=XXX;
> INSERT INTO cryptokeys .... (import the currently used ZSK+KSK)
> DELETE FROM records WHERE domain_id=xxx AND type IN ('TYPE65534',
> 'DNSKEY', 'RRSIG');
> DELETE FROM domainmetadata WHERE domain_id=XXX AND kind='PRESIGNED';
> I think that should be pretty safe. But I am concerned about the
> dnssec-key-cache and the domain-metadata-cache.
> I think to be on the safe side I would need to flush those caches with
> the COMMIT;. Of course I could disable the caches at all, but I do not
> want to do this permanentely because the switch from SLAVE to MASTER is
> customer triggered.
> So, do you have any hints on how to safely import the keys without any
> bogus answers of PowerDNS due to metadata and key caching?
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
More information about the Pdns-users