On Tue, Jun 14, 2011 at 08:56:41PM +1200, Craig Whitmore wrote: > A have been trying to automate this all and have a number of questions > > 1. http://doc.powerdns.com/dnssec-operational-doctrine.html say to use > "pdnssec disable-dnssec" but there is no command so what the "proper" way of > making a domain insecure (the opposite of secure-zone basically. > remove-zone-key on all the keys will work? And then update SOA serial and > remove anything in the domainmetadata table?
Almost. disable-dnssec would deactivate all keys, and unset 'presigned'. Implemented this in 2216 which is now building. > 2) pdnssec [options] [show-zone] [secure-zone] [rectify-zone] [add-zone-key] > secure-zone Add KSK and two ZSKs > secure-zone ZONE Add KSK and two ZSKs Fixed, thanks! > 3) do I have to run rectify-zone every time I add/change an entry. I add an > entry into the database and then read the SOA and increase it and update it > to be bigger. This is described here: http://doc.powerdns.com/dnssec-modes.html#dnssec-direct-database In your case, you should be setting the 'auth' field too, which would probably fix the problem. Bert _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
