[Pdns-users] Automated DNSSEC Keyrollover

Pieter Lexis pieter+powerdns at plexis.eu
Thu May 5 19:56:26 UTC 2022

Hi Adrian, JP,

On 5/5/22 18:45, Jan-Piet Mens via Pdns-users wrote:
> I haven't looked recently, but it might well be possible with a
> judicious use of
> pdnsutil(1) to kick a rollover; create new key, wait, remove old keys.

Another solution is using the CryptoKeys API[1], you can store the
timing information with the program/tool that calls the API (e.g. in a
database or on-disk file). If you want to persist this data inside
PowerDNS, you could use metadata starting with 'X-'[2,3].

Having an external application saves a _lot_ of complexity inside the



1 - https://doc.powerdns.com/authoritative/http-api/cryptokey.html
2 - https://doc.powerdns.com/authoritative/http-api/metadata.html
3 -

Pieter Lexis
E: pieter at plexis.eu

More information about the Pdns-users mailing list