On 14/06/11 9:33 PM, "bert hubert" <bert.hub...@netherlabs.nl> wrote:
>On Tue, Jun 14, 2011 at 08:56:41PM +1200, Craig Whitmore wrote: >> A have been trying to automate this all and have a number of questions? >> >> 1. http://doc.powerdns.com/dnssec-operational-doctrine.html say to use >> "pdnssec disable-dnssec" but there is no command so what the "proper" >>way of >> making a domain insecure (the opposite of secure-zone basically. >> remove-zone-key on all the keys will work? And then update SOA serial >>and >> remove anything in the domainmetadata table? Tested and works but shouldn't you delete the cryptokeys for the domain in the database as well or something bad happens. If I enable . All good.. ID = 18 (KSK), tag = 41954, algo = 8, bits = 2048 Active: 1 KSK DNSKEY = spam.co.nz IN DNSKEY 257 3 8 AwEAAeqMcemGL0stYFsyPSoqTTj2h/xOnLnP3REKmX3zp9mD3AFPabynZAn5NREYfUl97u2kIKq KrBsW1TEm2yp8067EqgyZtUqiRyGl8lv5h+uInnpjmC4cHMLsvxt+S5b7vTcmwl8J2r3aGVe050 I2sALq8YEjnPWHiw5qLOQRoY72REa77fXyzoOW3hQKfTlJcco8gu363sYn4gYM9AFy/PJVXeUWq WdTvyVmGbqapLISLnb9w+DCLa8N4RkbTIsImPy90e2qN6RYLUA1CoUaYuCtxUfqJC5OLE+deDJB DwQ/+bGZSWORyJvbkOeq+xRfrDqJ4Gt98RZM3DwEvD8irDU= DS = spam.co.nz IN DS 41954 8 1 73ecd73829cbce5a79117f6f1a452ec41a8ad821 DS = spam.co.nz IN DS 41954 8 2 fdd6e221ac2cf1e9e13c5af283851089b905be67eab7f0a0a3f4f10555caaac8 ID = 19 (ZSK), tag = 38065, algo = 8, bits = 1024 Active: 1 ID = 20 (ZSK), tag = 28923, algo = 8, bits = 1024 Active: 0 Then disable and then enable again. ID = 18 (KSK), tag = 41954, algo = 8, bits = 2048 Active: 0 KSK DNSKEY = spam.co.nz IN DNSKEY 257 3 8 AwEAAeqMcemGL0stYFsyPSoqTTj2h/xOnLnP3REKmX3zp9mD3AFPabynZAn5NREYfUl97u2kIKq KrBsW1TEm2yp8067EqgyZtUqiRyGl8lv5h+uInnpjmC4cHMLsvxt+S5b7vTcmwl8J2r3aGVe050 I2sALq8YEjnPWHiw5qLOQRoY72REa77fXyzoOW3hQKfTlJcco8gu363sYn4gYM9AFy/PJVXeUWq WdTvyVmGbqapLISLnb9w+DCLa8N4RkbTIsImPy90e2qN6RYLUA1CoUaYuCtxUfqJC5OLE+deDJB DwQ/+bGZSWORyJvbkOeq+xRfrDqJ4Gt98RZM3DwEvD8irDU= DS = spam.co.nz IN DS 41954 8 1 73ecd73829cbce5a79117f6f1a452ec41a8ad821 DS = spam.co.nz IN DS 41954 8 2 fdd6e221ac2cf1e9e13c5af283851089b905be67eab7f0a0a3f4f10555caaac8 ID = 21 (KSK), tag = 60754, algo = 8, bits = 2048 Active: 1 KSK DNSKEY = spam.co.nz IN DNSKEY 257 3 8 AwEAAZ6aEkCc9D9UomiVim7NmHNTkVgOuphNdbRvjPt0Vd2XGt4dCUiICF2uErZUIADb5TC08d4 nS2Wo4W0sN8CjQj3ij4IKCAeKoQiejxvBsLp5nVqf8RS9dRN8FLvbPsfBjVPFB4MKSfWz9VpMnn BMlJyWOgRaExKY0FR4Ydy3qH3aiHVq+jw941N/bXiQcYzWHzY4VhluD+T+nW4N1IuEp/6rs0tIY bXp/GRm1VoxADY3wfv2VmLI6MZ0zLSf5UEYu+/vVFkJGLAGDuDKH8jEYc4Bu4h8fFHYycQisHEE BbCSoXmbvWudjFd3CX0QF2fODtEZQWJuEkBTfbsJxLcvEzk= DS = spam.co.nz IN DS 60754 8 1 78650a091d44b6a7a8878fcdd2971d283b3ea364 DS = spam.co.nz IN DS 60754 8 2 8ef196e23b9ba831438763962618db627202027a53ac4f3d605ce6aab8c87e57 ID = 19 (ZSK), tag = 38065, algo = 8, bits = 1024 Active: 0 ID = 20 (ZSK), tag = 28923, algo = 8, bits = 1024 Active: 0 Older KSK is there (deactivated) New KSK in there (good) 2 ZSK's (both deactivated) ordername is not blanked out for the domain either for each RR but that’s less important as it won't make any difference (maybe) Thanks Craig _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
