Hello All, New at PowerDNS. Implemented pdns Centos 7, native mysql setup. MariaDB 10.2.10, PowerDNS 4.1rc2
We are using .ca domains for testing. We have run pdnsutil secure-zone ZONE on two domains now with success after submitting DNSKEY+DS(sha256) to CIRA. My question is concerning key rollovers. It is my understanding that pdns uses inline signing (which I'm not sure I completely understand yet), but the gist of what I understand is that for domain.ca (changed for security) 1. DNSKEY does not change 2. DS record at CIRA (registry) does not change 3. RRSIG records created on the fly, and will rollover automatically? example below domain.ca. 120 IN RRSIG A 13 2 120 20171116000000 20171026000000 6782 domain.ca. 8VbQZdC61XGIVIOjq4WVrpWne+Hr9dx9LlKAWgmmgYNjMC8DeFro1MsW 6XUdp6pujunpmKzVZ+xxxxxxxxxxPQ== What I don't understand, is that this particular domain we just secured today. The RRSIG expiry is 16 Nov. and it says the valid from is Oct. 26. I don't get that. It's the same for the other domain we used to test, but it was secured earlier, more than a few days ago, and it says the same thing, domain2.ca RRSIG A 13 2 120 20171116000000 20171026000000 56566 domain2.ca. ynIl32Wyl9theZx0Vi5u1GJS2ObDqUoLI+h7knzRjQrHpPDl/Bwesrxj VmHWjmDunMYfxxxxxxxxxxlOUvX3Rw== so this one still has the exact same RRSIG parameters, good til Nov. 16 and started Oct. 26 This is not making sense to me, and any help would be appreciated. I have read and read pdns docs, dnssec docs, and this eludes my comprehension. Am I to understand though, that the RRSIG's created by inline signing on the fly by pdns, will automatically keep being rolled over - re-created with newer expiry dates and good-from dates? Thanks for any and all help. Eric _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
