would be an excellent "way into dnssec". This wouldn't require any change to the existing (non-dnssec) powerdns setups, and would allow us to test with "real" things, easily migrate single domains to a dnssec setup (just change the nameservers), rollback when needed to the old and tested setup etc.
Am I correct that this would only work via AXFR style transfers from the non-dnssec pdns to the new pdns-dnssec slaves? Frank On 06 Jan 2011 wk 1, at 20:00, bert hubert wrote: > On Thu, Jan 06, 2011 at 11:55:24AM -0500, Mathew Hennessy wrote: >> Excellent! BTW, can PowerDNSSEC operate in the following way as one would >> expect: >> >> PowerDNS supermaster which has DNSSEC RRs but doesn't do DNSSEC (aka >> traditional PowerDNS) providing data to PowerDNS slaves. If you use the >> new code with a compatible backend on the slaves (such as gsqlite3), and >> your whois servers only point to those slaves, will it work? > > Almost! If you did that up till just now, you would have had to run 'pdnssec > rectify-zone' on your slaves after each AXFR. > > However, thank you for raising this idea, this sounds like a very valid use > case. > > It has just been implemented in changeset > http://wiki.powerdns.com/trac/changeset/1819 > > I tested it against an ancient server, and now I have a fully > operational DNSSEC zone! > > It works fully automatic on retrieving a zone for which we have local keying > material. > > In this way, PowerDNSSEC can now be used to 'dnssec-ify' existing data, a > bit like 'phreebird'. http://freshmeat.net/projects/phreebird > > Bert > >> >> Thanks, >> = Matt >> >> On Jan 6, 2011, at 10:13, bert hubert wrote: >> >>> Dear PowerDNS Community, >>> >>> With the help of many of you, we've now brought 'PowerDNSSEC' to the point >>> where it might make sense for you to trial it on test domains. We expect to >>> make move some of our own important domains over to PowerDNSSEC early next >>> week. PowerDNS.COM underlies the commercial DNS hosting service 'Express', >>> and may have to wait a bit longer. >>> >>> To test, head over to http://www.powerdnssec.org (which of course is powered >>> by PowerDNSSEC). More information is on >>> http://wiki.powerdns.com/trac/wiki/PDNSSEC - including how to get started, >>> and how to get help. >>> >>> In brief, PowerDNSSEC will allow you to continue operating as normal in many >>> cases, with only slight changes to your installation. There is no need to >>> run signing tools, nor is there a need to rotate keys or run scripts. >>> >>> Particularly, if you run with Generic MySQL, Generic PostgreSQL or Generic >>> SQLite3, you should have an easy time. A small schema update is required, >>> plus an invocation of 'pdnssec secure-zone domain-name && pdnssec >>> rectify-zone domain-name' per domain you want to secure. And that should be >>> it. >>> >>> Supported are: >>> * NSEC >>> * NSEC3 in ordered mode (pre-hashed records) >>> * NSEC3 in narrow mode (unmodified records) >>> * Zone transfers (for NSEC) >>> * Import of 'standard' private keys from BIND/NSD >>> * Export of 'standard' private keys >>> * RSASHA1 >>> * "Pure" PostgreSQL, SQLite3 & MySQL operations >>> * Hybrid BIND/PostgreSQL/SQLite3/MySQL operation >>> >>> To join the fun, download the tarball which can be found on the sites above, >>> and let us know how it works for you! >>> >>> To clarify, we do not recommend taking the current code snapshot into >>> production, but we are getting close. >>> >>> Kind regards, >>> Bert >>> _______________________________________________ >>> Pdns-users mailing list >>> Pdns-users@mailman.powerdns.com >>> http://mailman.powerdns.com/mailman/listinfo/pdns-users >> >> > _______________________________________________ > Pdns-users mailing list > Pdns-users@mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users Frank -- Frank Louwers Operations -- Openminds bvba http://openminds.be fr...@openminds.be +32.9 225 82 91 Schrijf je nu in op onze nieuwsbrief: http://openminds.be/nieuwsbrief
_______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
