[Pdns-users] Automated DNSSEC Keyrollover
Jan-Piet Mens
list at mens.de
Thu May 5 16:45:13 UTC 2022
>I don't like to compare pDNS with Bind, but ZSK Rollover is built in since Bind 9.7.
BIND's key rollover "automation" was such that keys had to be created and a
rollover could then be kicked; alternatively timing information in the key
metadata ensured that.
Be that as it may, comparing BIND to PowerDNS for this is a moot point. Many
operators are not interested in key rollovers so PowerDNS not having such a
feature is not a problem for them.
>but does pDNS support automated ZSK (and KSK ) Rollovers in future versions?
Whether or not PowerDNS will, in future, provide automated rollovers is likely
a question of providing code and/or sponsoring its development.
I haven't looked recently, but it might well be possible with a judicious use of
pdnsutil(1) to kick a rollover; create new key, wait, remove old keys.
-JP
More information about the Pdns-users
mailing list