[Pdns-users] DNSSEC and

Xan Charbonnet xan at charbonnet.com
Tue Aug 22 13:19:14 UTC 2023


I so appreciate your help.  It sounds like my intended configuration 
should be fine, then.  I might suggest to the powers that be that the 
documentation address this question.

The reason I have two servers is for redundancy, so I'll probably give 
both instances write access, but as you say that should work fine.

Thanks again,

On 8/22/23 07:45, Frank Louwers wrote:
> Hi Xan,
> The weekly changes are not key rollovers, they are RRSIG 
> updates/resignings. These are done on the fly (in online mode), and not 
> stored in the database.
> The backend only contains the ZSK/KSK/CSK, which will only change if you 
> issue a command to roll them. Even if you would issue the change command 
> on both servers, the new keys would be stored in the unique database if 
> you have just 1 backend database, so both would use the new key (there 
> might be short-term caching issues). Personally, I would only configure 
> 1 of the PowerDNS servers to have write access to the backend DB, the 
> other ones would just have SELECT privileges on the db.
> Cheers,
> Frank
>> On 22 Aug 2023, at 14:25, Xan Charbonnet <xan at charbonnet.com> wrote:
>> Thank you, Frank.
>> I am aiming to do online signing, but my concern is the weekly key 
>> rollover.  Wouldn't both PowerDNS instances attempt to perform key 
>> rollover on the same database at the same time?  Do they not step on 
>> each other's toes?
>> -Xan
>> On 8/22/23 07:03, Frank Louwers via Pdns-users wrote:
>>> Hi Xan,
>>> It depends which DNSSEC you choose. If you would pick "Online 
>>> Signing" for instance (great unless you have very busy servers with 
>>> lots of domains), the "keying data" is stored in the database as 
>>> well, so both servers would use the same data to sign the zone, 
>>> resulting in consistent signatures (as long as your MariaDB 
>>> replication isn't broken).
>>> Seehttps://doc.powerdns.com/authoritative/dnssec/modes-of-operation.html#online-signing <https://doc.powerdns.com/authoritative/dnssec/modes-of-operation.html#online-signing><https://doc.powerdns.com/authoritative/dnssec/modes-of-operation.html#online-signing <https://doc.powerdns.com/authoritative/dnssec/modes-of-operation.html#online-signing>> for more info and other ways of turning on DNSSEC on PowerDNS.
>>> Frank
>>> Frank Louwers
>>> PowerDNS Certified Consultant @ Kiwazo.be
>>>> On 21 Aug 2023, at 17:03, Xan Charbonnet via Pdns-users 
>>>> <pdns-users at mailman.powerdns.com> wrote:
>>>> Hello everyone,
>>>> We've been successfully using PowerDNS for some time, and are 
>>>> looking into enabling DNSSEC.
>>>> If two PowerDNS authoritative servers are set up for native 
>>>> replication, sharing a single MariaDB backend where the database is 
>>>> replicated using MariaDB's replication, how would DNSSEC be enabled? 
>>>>  If I just turn it on, wouldn't the two servers step on each other's 
>>>> toes when it came time to do a key rollover?  Or is that not a problem?
>>>> Thanks in advance.
>>>> _______________________________________________
>>>> Pdns-users mailing list
>>>> Pdns-users at mailman.powerdns.com
>>>> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>>> _______________________________________________
>>> Pdns-users mailing list
>>> Pdns-users at mailman.powerdns.com <mailto:Pdns-users at mailman.powerdns.com>
>>> https://mailman.powerdns.com/mailman/listinfo/pdns-users 
>>> <https://mailman.powerdns.com/mailman/listinfo/pdns-users>

More information about the Pdns-users mailing list