Hi Alun, > We currently edit records by way of PowerAdmin, which updates the master > database directly and so “PowerDNS Auth A” instance is not actually used or > interacted with, normally. Zone/record updates are replicated to the “edge” > Auth servers (B and C) via MySQL replication. We would like to enable DNSSec > on a few of our domains, at least as a proof of concept. A few questions… > > I assume I need to enable gmysql-dnssec on ALL PowerDNS Auth instances (A,B > and C)? > Will PowerDNS commands to enable DNSSec signing of a zone need executed on > “PowerDNS Auth A” ONLY (which will add the relevant records to the database > and replicate them to B and C)? > Given that PowerAdmin talks directly to the database, any record changes here > likely to cause a problem with these signed domains? > Should I look at a newer GUI that implements the DNSSec commands and > interacts with PowerDNS API instead?
This is a setup we’ve built a few times for customers of ours, with these exact same components (we usually do add dnsdist for easier DDoS and abuse mitigation). Unless you have a large number of queries against your nameservers, I would recommend to do “online signing” in PowerDNS, as described in https://docs.powerdns.com/authoritative/dnssec/modes-of-operation.html#online-signing <https://docs.powerdns.com/authoritative/dnssec/modes-of-operation.html#online-signing>. In that mode, only the keys is stored in the database, and thus you’d need to enable this feature on each of your PowerDNS auth servers. Once you configure all instances to handle DNSSEC, there’s nothing extra to configure: the key info is stored in the database, the flags that enable dnssec are stored in the database, so as long as your replication works, you’re good! While you could continue to work directly in the database, we do recommend people to use the API. When enabling DNSSEC, it’s very import to “rectify” the database structure after all changes. Using the API, this becomes much easier than fiddling with the DB directly. PowerAdmin can be configured to talk directly to the API. As a precaution, I would enable the API only on the min PowerDNS server, and would grant the PowerDNS “slaves” read-only access to their own databases, to prevent accidental changes in these nodes. Hope this helps! Frank Louwers Certified PowerDNS Consultant @ Kiwazo > > Thanks in advance… > > Regards, > > Alun. > > > > > <image001.png> > <http://www.tibus.com/?utm_source=signature&utm_medium=email><image002.png>Alun > James > Senior Systems Engineer > > T: +44 (0) 28 9033 1122 > E: aja...@tibus.com <mailto:aja...@tibus.com> > W: www.tibus.com > <http://www.tibus.com/?utm_source=signature&utm_medium=email> > <image003.png> <https://www.facebook.com/tibusDigital> <image004.png> > <https://twitter.com/tibus> <image005.png> > <https://www.linkedin.com/company/tibus> > Tibus is a wholly-owned division of Wireless. > > > > > _______________________________________________ > Pdns-users mailing list > Pdns-users@mailman.powerdns.com <mailto:Pdns-users@mailman.powerdns.com> > https://mailman.powerdns.com/mailman/listinfo/pdns-users > <https://mailman.powerdns.com/mailman/listinfo/pdns-users>
_______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
