[Pdns-users] Automated DNSSEC Keyrollover

Jan-Piet Mens list at mens.de
Thu May 5 16:45:13 UTC 2022

>I don't like to compare pDNS with Bind, but ZSK Rollover is built in since Bind 9.7.

BIND's key rollover "automation" was such that keys had to be created and a
rollover could then be kicked; alternatively timing information in the key
metadata ensured that.

Be that as it may, comparing BIND to PowerDNS for this is a moot point. Many
operators are not interested in key rollovers so PowerDNS not having such a
feature  is not a problem for them.

>but does pDNS support automated ZSK (and KSK ) Rollovers in future versions?

Whether or not PowerDNS will, in future, provide automated rollovers is likely
a question of providing code and/or sponsoring its development.

I haven't looked recently, but it might well be possible with a judicious use of
pdnsutil(1) to kick a rollover; create new key, wait, remove old keys.


More information about the Pdns-users mailing list