[Pdns-users] Automated DNSSEC Keyrollover

Adrian Kägi aka at nts.ch
Thu May 5 08:06:38 UTC 2022

This seems really to be complicated part!
~4000 Lines of code can be reasons to fail! 

I am wondering, why there is no "prebuild" solution for this.

I don't like to compare pDNS with Bind, but ZSK Rollover is built in since Bind 9.7.
... Ok, is only the half story, but does pDNS support automated ZSK (and KSK ) Rollovers in future versions?

Regards Adrian

On Thu. 5. May 2022 09:50 CEST, Klaus Darilion <klaus.darilion at nic.at> wrote:
 > -----Ursprüngliche Nachricht-----
> Von: Pdns-users <pdns-users-bounces at mailman.powerdns.com> Im Auftrag von
> Adrian Kägi via Pdns-users
> Gesendet: Donnerstag, 5. Mai 2022 09:36
> An: pdns-users at mailman.powerdns.com
> Betreff: [Pdns-users] Automated DNSSEC Keyrollover
> Good day
> We use pDNS since a couple of years with a great success in a ISP
> environment.
> For DNSSEC implementation i made a lab Setup like:
> - pdns v 4.7.0 - alpha1
> - DNS Multimaster Setup
> - Mysql Replication master-> slaves
> DNSSEC can be enabled with API call and/or pdnsutil. As our registry
> accept CDS records, we have a comftable way to establish the chain of
> trust.
> Now i like to rollover the ZSK and of course the KSK on a periodical
> manner.
> I am aware of this two howtos:
> https://doc.powerdns.com/authoritative/guides/zskroll.html
> https://doc.powerdns.com/authoritative/guides/kskroll.html
> Is this the only way for a Key Rollover? Sorry, if i am missed out
> something in the Docs!
> With hunderts of DNSSEC Domains, the rollover must be automated.
> I cloud not find any tested scripts/howto-do-it-in-reallife for pDNS
> Rollovers...
> How is the pDNS way for a keyrollover in a environment with >100
> Domains? ... Life o a Admin... ;)

In our case it is ~4000 lines of php code/scripts which:
- check the age of KSK/ZSK
- create new keys in case of old keys and pre-publish them
- calculate when it is safe to use the new keys
- activate the new keys
- for KSKs track the DS updates in the parent zone
- calculate when it is safe to remove the old keys
- remove the old keys

IMO, all this key handling is muich more complicated then DNSSEC/signing itself.


-- Adrian Kägi
Network Engineer

Direct +41 31 517 77 19 | Phone +41 31 517 77 77 
NTS Workspace AG             colocate lightspeed 
Wölflistrasse 1d  |  CH-3006 Bern  |  www.nts.ch 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20220505/09340d83/attachment-0001.htm>

More information about the Pdns-users mailing list