[Pdns-users] Hhow to safely import a DNSSEC signed zone
Klaus Darilion
klaus.mailinglists at pernau.at
Sat Feb 22 22:21:20 UTC 2020
Answering myself after reading the code: The trick is to do below steps
NOT in a single transaction but one step after other, considering the
respective cache TTLs.
PowerDNS priorizes presigned zones over self signing. Hence, the correct
order is:
UPDATE domains SET type='MASTER' where id=XXX;
INSERT INTO cryptokeys .... (import the currently used ZSK+KSK);
sleep(dnssec-key-cache-ttl)
DELETE FROM domainmetadata WHERE domain_id=XXX AND kind='PRESIGNED';
sleep(domain-metadata-cache-ttl)
DELETE FROM records WHERE domain_id=xxx AND type IN
('TYPE65534','DNSKEY', 'RRSIG');
Eventually tweak the domainmetadata, ie. for serial bumping. Also make
sure that there are no zone changes while doing above process.
regards
Klaus
Am 13.02.2020 um 12:59 schrieb Klaus Darilion via Pdns-users:
> Hello!
>
> I have thousands of DNSSEC presigned-signed zones which I slave with
> PowerDNS (type='SLAVE'). I want to move all these zones to PowerDNS as
> type='MASTER'.
>
> Basically this should be very simple:
>
> For each zone:
> BEGIN;
> UPDATE domains SET type='MASTER' where id=XXX;
>
> INSERT INTO cryptokeys .... (import the currently used ZSK+KSK)
>
> DELETE FROM records WHERE domain_id=xxx AND type IN ('TYPE65534',
> 'DNSKEY', 'RRSIG');
>
> DELETE FROM domainmetadata WHERE domain_id=XXX AND kind='PRESIGNED';
> COMMIT;
>
> I think that should be pretty safe. But I am concerned about the
> dnssec-key-cache and the domain-metadata-cache.
>
> I think to be on the safe side I would need to flush those caches with
> the COMMIT;. Of course I could disable the caches at all, but I do not
> want to do this permanentely because the switch from SLAVE to MASTER is
> customer triggered.
>
> So, do you have any hints on how to safely import the keys without any
> bogus answers of PowerDNS due to metadata and key caching?
>
> Thanks
> Klaus
>
>
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>
More information about the Pdns-users
mailing list