[Pdns-users] Automated DNSSEC Keyrollover
Pieter Lexis
pieter+powerdns at plexis.eu
Thu May 5 19:56:26 UTC 2022
Hi Adrian, JP,
On 5/5/22 18:45, Jan-Piet Mens via Pdns-users wrote:
> I haven't looked recently, but it might well be possible with a
> judicious use of
> pdnsutil(1) to kick a rollover; create new key, wait, remove old keys.
Another solution is using the CryptoKeys API[1], you can store the
timing information with the program/tool that calls the API (e.g. in a
database or on-disk file). If you want to persist this data inside
PowerDNS, you could use metadata starting with 'X-'[2,3].
Having an external application saves a _lot_ of complexity inside the
nameserver.
Cheers,
Pieter
1 - https://doc.powerdns.com/authoritative/http-api/cryptokey.html
2 - https://doc.powerdns.com/authoritative/http-api/metadata.html
3 -
https://doc.powerdns.com/authoritative/domainmetadata.html#extra-metadata
--
Pieter Lexis
E: pieter at plexis.eu
More information about the Pdns-users
mailing list