Re: [Pdns-users] DNSSEC same key for all

Mon, 20 May 2019 02:10:25 -0700 

Ok, thanks everyone for suggestions!

azur





Citát frank+pdns--- via Pdns-users <pdns-users@mailman.powerdns.com>:


Hi Azur,

Ha, indeed, it seems they did…
Best practise would still be to have a 1:1 relationship between a keyset and a domain, so create a new keyset for every dnssec-domain. 

If you do want to reuse your dnssec keys, you have a few options:
- fiddle with the custom query options in pdns.conf to return “the correct record” for a domain, maybe based on a view in the db?
- keep the “golden” cryptokey you want to use somewhere in your code, and use the API or the DB to insert that particular key as the domain’s cryptokey. Disadvantage: whenever you want to change the key, you’d have to update all the cryptokey records
- rethink everything, go the recommended route and use a different DS/KEYSET for every domain (which means creating a new KEYSET for every domain) 

Kind Regards,

Frank Louwers
Certified PowerDNS Consultant @ Kiwazo.be <http://kiwazo.be/>








On 20 May 2019, at 10:41, azu...@pobox.sk <mailto:azu...@pobox.sk> wrote:

Hi Frank,
it's mandatory for .CZ domains, so if you don't sign every domain with the same key, you need to register a KEYSET for every domain. So this is what i'm trying to solve.
Citát frank+pdns--- via Pdns-users <pdns-users@mailman.powerdns.com <mailto:pdns-users@mailman.powerdns.com>>: 


Hi Azur,
It’s possible to do so, by manipulating the database directly (see the cryptokeys table).
However, let’s take a step back: what problem are you trying to solve? As far as I know, there’s not a single TLD where the use of KEYSETs is mandatory. Some offer it as an extra feature, but I am not aware of any TLD where this would be mandatory. 

Kind Regards,

Frank Louwers
Certified PowerDNS Consultant @ Kiwazo.be <http://kiwazo.be/>
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com <mailto:Pdns-users@mailman.powerdns.com>
https://mailman.powerdns.com/mailman/listinfo/pdns-users <https://mailman.powerdns.com/mailman/listinfo/pdns-users> 



_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com <mailto:Pdns-users@mailman.powerdns.com>
https://mailman.powerdns.com/mailman/listinfo/pdns-users <https://mailman.powerdns.com/mailman/listinfo/pdns-users> 



_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Reply via email to