[Pdns-users] DNSSEC and
Xan Charbonnet
xan at charbonnet.com
Tue Aug 22 13:19:14 UTC 2023
Frank,
I so appreciate your help. It sounds like my intended configuration
should be fine, then. I might suggest to the powers that be that the
documentation address this question.
The reason I have two servers is for redundancy, so I'll probably give
both instances write access, but as you say that should work fine.
Thanks again,
Xan
On 8/22/23 07:45, Frank Louwers wrote:
> Hi Xan,
>
> The weekly changes are not key rollovers, they are RRSIG
> updates/resignings. These are done on the fly (in online mode), and not
> stored in the database.
>
> The backend only contains the ZSK/KSK/CSK, which will only change if you
> issue a command to roll them. Even if you would issue the change command
> on both servers, the new keys would be stored in the unique database if
> you have just 1 backend database, so both would use the new key (there
> might be short-term caching issues). Personally, I would only configure
> 1 of the PowerDNS servers to have write access to the backend DB, the
> other ones would just have SELECT privileges on the db.
>
> Cheers,
>
> Frank
>
>
>
>> On 22 Aug 2023, at 14:25, Xan Charbonnet <xan at charbonnet.com> wrote:
>>
>> Thank you, Frank.
>>
>> I am aiming to do online signing, but my concern is the weekly key
>> rollover. Wouldn't both PowerDNS instances attempt to perform key
>> rollover on the same database at the same time? Do they not step on
>> each other's toes?
>>
>> -Xan
>>
>>
>>
>> On 8/22/23 07:03, Frank Louwers via Pdns-users wrote:
>>> Hi Xan,
>>> It depends which DNSSEC you choose. If you would pick "Online
>>> Signing" for instance (great unless you have very busy servers with
>>> lots of domains), the "keying data" is stored in the database as
>>> well, so both servers would use the same data to sign the zone,
>>> resulting in consistent signatures (as long as your MariaDB
>>> replication isn't broken).
>>> Seehttps://doc.powerdns.com/authoritative/dnssec/modes-of-operation.html#online-signing <https://doc.powerdns.com/authoritative/dnssec/modes-of-operation.html#online-signing><https://doc.powerdns.com/authoritative/dnssec/modes-of-operation.html#online-signing <https://doc.powerdns.com/authoritative/dnssec/modes-of-operation.html#online-signing>> for more info and other ways of turning on DNSSEC on PowerDNS.
>>> Frank
>>> Frank Louwers
>>> PowerDNS Certified Consultant @ Kiwazo.be
>>>> On 21 Aug 2023, at 17:03, Xan Charbonnet via Pdns-users
>>>> <pdns-users at mailman.powerdns.com> wrote:
>>>>
>>>> Hello everyone,
>>>>
>>>> We've been successfully using PowerDNS for some time, and are
>>>> looking into enabling DNSSEC.
>>>>
>>>> If two PowerDNS authoritative servers are set up for native
>>>> replication, sharing a single MariaDB backend where the database is
>>>> replicated using MariaDB's replication, how would DNSSEC be enabled?
>>>> If I just turn it on, wouldn't the two servers step on each other's
>>>> toes when it came time to do a key rollover? Or is that not a problem?
>>>>
>>>> Thanks in advance.
>>>> _______________________________________________
>>>> Pdns-users mailing list
>>>> Pdns-users at mailman.powerdns.com
>>>> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>>> _______________________________________________
>>> Pdns-users mailing list
>>> Pdns-users at mailman.powerdns.com <mailto:Pdns-users at mailman.powerdns.com>
>>> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>>> <https://mailman.powerdns.com/mailman/listinfo/pdns-users>
>
More information about the Pdns-users
mailing list