[Pdns-users] pdnsutil rectify-all-zones

[Pieter Lexis]

Hi Sean,

On 3/30/20 11:40 PM, Sean Lair via Pdns-users wrote:
> Should we be running “pdnsutil rectify-all-zones” anytime a new record
> is added?  Is there a way to automate this after every record or should
> we have it scheduled via cron?

The answer is 'it depends'. It mostly depends on how the how the zones
are edited, if you use DNSSEC and is the edits happen on a hidden
master.

If you're not using DNSSEC, rectification is not needed.

If you are using DNSSEC and the zones are edited on a hidden master (no
resolvers talk to this authoritative server), PowerDNS will generate the
correct NSECx records when it sends the AXFR and no rectification is
needed on the master.

If you're using DNSSEC and the server that the edits happen on does
receive queries from resolvers, you indeed need to rectify. Now it can
depend on how the records are modified.

If the edits happen via `pdnsutil edit-zone`, the zone is rectified when
it is saved.

If the edits happen by directly changing content in the database (which
is not recommended), you'll need to call `pdnsutil rectify ZONE` for
each edited zone, or `pdnsutil rectify-all-zones` if you don't know what
changes when.

If you're using the API[1] to change the records (which we do recommend),
you _can_ call `pdnsutil` as above. However, you can also set the
`api_rectify` property of the zone to `true`[2]. Then the zone will be
rectified after the changed records have been stored.

I hope this clarifies it for you. If not, don't hesitate to reply to the
mailinglist.

Best regards,

Pieter

1 - https://doc.powerdns.com/authoritative/http-api/index.html
2 - https://doc.powerdns.com/authoritative/http-api/zone.html#zone

-- 
Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com