Hi This seems really to be complicated part! ~4000 Lines of code can be reasons to fail!
I am wondering, why there is no "prebuild" solution for this. I don't like to compare pDNS with Bind, but ZSK Rollover is built in since Bind 9.7. ... Ok, is only the half story, but does pDNS support automated ZSK (and KSK ) Rollovers in future versions? Regards Adrian On Thu. 5. May 2022 09:50 CEST, Klaus Darilion <klaus.daril...@nic.at> wrote: > -----Ursprüngliche Nachricht----- > Von: Pdns-users <pdns-users-boun...@mailman.powerdns.com> Im Auftrag von > Adrian Kägi via Pdns-users > Gesendet: Donnerstag, 5. Mai 2022 09:36 > An: pdns-users@mailman.powerdns.com > Betreff: [Pdns-users] Automated DNSSEC Keyrollover > > Good day > We use pDNS since a couple of years with a great success in a ISP > environment. > For DNSSEC implementation i made a lab Setup like: > - pdns v 4.7.0 - alpha1 > - DNS Multimaster Setup > - Mysql Replication master-> slaves > > DNSSEC can be enabled with API call and/or pdnsutil. As our registry > accept CDS records, we have a comftable way to establish the chain of > trust. > > Now i like to rollover the ZSK and of course the KSK on a periodical > manner. > I am aware of this two howtos: > https://doc.powerdns.com/authoritative/guides/zskroll.html > https://doc.powerdns.com/authoritative/guides/kskroll.html > > Is this the only way for a Key Rollover? Sorry, if i am missed out > something in the Docs! > With hunderts of DNSSEC Domains, the rollover must be automated. > > I cloud not find any tested scripts/howto-do-it-in-reallife for pDNS > Rollovers... > How is the pDNS way for a keyrollover in a environment with >100 > Domains? ... Life o a Admin... ;) In our case it is ~4000 lines of php code/scripts which: - check the age of KSK/ZSK - create new keys in case of old keys and pre-publish them - calculate when it is safe to use the new keys - activate the new keys - for KSKs track the DS updates in the parent zone - calculate when it is safe to remove the old keys - remove the old keys IMO, all this key handling is muich more complicated then DNSSEC/signing itself. regards Klaus -- Adrian Kägi Network Engineer Direct +41 31 517 77 19 | Phone +41 31 517 77 77 NTS Workspace AG colocate lightspeed Wölflistrasse 1d | CH-3006 Bern | www.nts.ch
_______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
