Hi Xan, The weekly changes are not key rollovers, they are RRSIG updates/resignings. These are done on the fly (in online mode), and not stored in the database.
The backend only contains the ZSK/KSK/CSK, which will only change if you issue a command to roll them. Even if you would issue the change command on both servers, the new keys would be stored in the unique database if you have just 1 backend database, so both would use the new key (there might be short-term caching issues). Personally, I would only configure 1 of the PowerDNS servers to have write access to the backend DB, the other ones would just have SELECT privileges on the db. Cheers, Frank > On 22 Aug 2023, at 14:25, Xan Charbonnet <x...@charbonnet.com> wrote: > > Thank you, Frank. > > I am aiming to do online signing, but my concern is the weekly key rollover. > Wouldn't both PowerDNS instances attempt to perform key rollover on the same > database at the same time? Do they not step on each other's toes? > > -Xan > > > > On 8/22/23 07:03, Frank Louwers via Pdns-users wrote: >> Hi Xan, >> It depends which DNSSEC you choose. If you would pick "Online Signing" for >> instance (great unless you have very busy servers with lots of domains), the >> "keying data" is stored in the database as well, so both servers would use >> the same data to sign the zone, resulting in consistent signatures (as long >> as your MariaDB replication isn't broken). >> See >> https://doc.powerdns.com/authoritative/dnssec/modes-of-operation.html#online-signing<https://doc.powerdns.com/authoritative/dnssec/modes-of-operation.html#online-signing> >> for more info and other ways of turning on DNSSEC on PowerDNS. >> Frank >> Frank Louwers >> PowerDNS Certified Consultant @ Kiwazo.be >>> On 21 Aug 2023, at 17:03, Xan Charbonnet via Pdns-users >>> <pdns-users@mailman.powerdns.com> wrote: >>> >>> Hello everyone, >>> >>> We've been successfully using PowerDNS for some time, and are looking into >>> enabling DNSSEC. >>> >>> If two PowerDNS authoritative servers are set up for native replication, >>> sharing a single MariaDB backend where the database is replicated using >>> MariaDB's replication, how would DNSSEC be enabled? If I just turn it on, >>> wouldn't the two servers step on each other's toes when it came time to do >>> a key rollover? Or is that not a problem? >>> >>> Thanks in advance. >>> _______________________________________________ >>> Pdns-users mailing list >>> Pdns-users@mailman.powerdns.com >>> https://mailman.powerdns.com/mailman/listinfo/pdns-users >> _______________________________________________ >> Pdns-users mailing list >> Pdns-users@mailman.powerdns.com <mailto:Pdns-users@mailman.powerdns.com> >> https://mailman.powerdns.com/mailman/listinfo/pdns-users
_______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
