[Pdns-users] DNSSEC and

[Xan Charbonnet]

Thank you, Frank.

I am aiming to do online signing, but my concern is the weekly key 
rollover.  Wouldn't both PowerDNS instances attempt to perform key 
rollover on the same database at the same time?  Do they not step on 
each other's toes?

-Xan



On 8/22/23 07:03, Frank Louwers via Pdns-users wrote:
> Hi Xan,
> 
> It depends which DNSSEC you choose. If you would pick "Online Signing" 
> for instance (great unless you have very busy servers with lots of 
> domains), the "keying data" is stored in the database as well, so both 
> servers would use the same data to sign the zone, resulting in 
> consistent signatures (as long as your MariaDB replication isn't broken).
> 
> See 
> https://doc.powerdns.com/authoritative/dnssec/modes-of-operation.html#online-signing <https://doc.powerdns.com/authoritative/dnssec/modes-of-operation.html#online-signing> for more info and other ways of turning on DNSSEC on PowerDNS.
> 
> Frank
> 
> 
> Frank Louwers
> PowerDNS Certified Consultant @ Kiwazo.be
> 
>> On 21 Aug 2023, at 17:03, Xan Charbonnet via Pdns-users 
>> <pdns-users at mailman.powerdns.com> wrote:
>>
>> Hello everyone,
>>
>> We've been successfully using PowerDNS for some time, and are looking 
>> into enabling DNSSEC.
>>
>> If two PowerDNS authoritative servers are set up for native 
>> replication, sharing a single MariaDB backend where the database is 
>> replicated using MariaDB's replication, how would DNSSEC be enabled? 
>>  If I just turn it on, wouldn't the two servers step on each other's 
>> toes when it came time to do a key rollover?  Or is that not a problem?
>>
>> Thanks in advance.
>> _______________________________________________
>> Pdns-users mailing list
>> Pdns-users at mailman.powerdns.com
>> https://mailman.powerdns.com/mailman/listinfo/pdns-users
> 
> 
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users