Frank,
I so appreciate your help. It sounds like my intended configuration
should be fine, then. I might suggest to the powers that be that the
documentation address this question.
The reason I have two servers is for redundancy, so I'll probably give
both instances write access, but as you say that should work fine.
Thanks again,
Xan
On 8/22/23 07:45, Frank Louwers wrote:
Hi Xan,
The weekly changes are not key rollovers, they are RRSIG
updates/resignings. These are done on the fly (in online mode), and not
stored in the database.
The backend only contains the ZSK/KSK/CSK, which will only change if you
issue a command to roll them. Even if you would issue the change command
on both servers, the new keys would be stored in the unique database if
you have just 1 backend database, so both would use the new key (there
might be short-term caching issues). Personally, I would only configure
1 of the PowerDNS servers to have write access to the backend DB, the
other ones would just have SELECT privileges on the db.
Cheers,
Frank
On 22 Aug 2023, at 14:25, Xan Charbonnet <x...@charbonnet.com> wrote:
Thank you, Frank.
I am aiming to do online signing, but my concern is the weekly key
rollover. Wouldn't both PowerDNS instances attempt to perform key
rollover on the same database at the same time? Do they not step on
each other's toes?
-Xan
On 8/22/23 07:03, Frank Louwers via Pdns-users wrote:
Hi Xan,
It depends which DNSSEC you choose. If you would pick "Online
Signing" for instance (great unless you have very busy servers with
lots of domains), the "keying data" is stored in the database as
well, so both servers would use the same data to sign the zone,
resulting in consistent signatures (as long as your MariaDB
replication isn't broken).
Seehttps://doc.powerdns.com/authoritative/dnssec/modes-of-operation.html#online-signing
<https://doc.powerdns.com/authoritative/dnssec/modes-of-operation.html#online-signing><https://doc.powerdns.com/authoritative/dnssec/modes-of-operation.html#online-signing
<https://doc.powerdns.com/authoritative/dnssec/modes-of-operation.html#online-signing>>
for more info and other ways of turning on DNSSEC on PowerDNS.
Frank
Frank Louwers
PowerDNS Certified Consultant @ Kiwazo.be
On 21 Aug 2023, at 17:03, Xan Charbonnet via Pdns-users
<pdns-users@mailman.powerdns.com> wrote:
Hello everyone,
We've been successfully using PowerDNS for some time, and are
looking into enabling DNSSEC.
If two PowerDNS authoritative servers are set up for native
replication, sharing a single MariaDB backend where the database is
replicated using MariaDB's replication, how would DNSSEC be enabled?
If I just turn it on, wouldn't the two servers step on each other's
toes when it came time to do a key rollover? Or is that not a problem?
Thanks in advance.
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com <mailto:Pdns-users@mailman.powerdns.com>
https://mailman.powerdns.com/mailman/listinfo/pdns-users
<https://mailman.powerdns.com/mailman/listinfo/pdns-users>
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
