Hi Mike, Many questions, let's go through them one-by-one.
On 1/14/19 7:22 PM, mike+li...@yourtownonline.com wrote: > I have been experimenting with dnssec and powerdns. I have a domain > singed, ds records at my registrar, all looks good and it passes tests > on various dnssec validation sites. What Im not clear about however, is > what is the workflow needed for ongoing maintenance? No, PowerDNS automatically refreshes the DNSSEC signatures every week[1]. If you slave(s) are PowerDNS, they will re-transfer the zone if they see the signatures change (even when the SOA serial is not increased). If you slave(s) are not PowerDNS, you'll need to set the default-soa-edit-signed setting[2] to something that makes sense for your SOA serial[3]. > I don't understand > automatic key expiration and whether or if I must care. (note, this is an opinion) You'll only need to rotate your keys when they are compromised. PowerDNS itself does not support automatically rotating keys, but it can be done manually (and those steps could be automated by you)[4,5] > Also, I don't > see why or if I need to care about having zsk and ksk in my zone; seems > to work without, unless these are pertaining to domains I sub-delegate? Having a ZSK means that you can roll that key without notifying your parent zone/registrar. If you don't plan on rotating (often), a single key (known as a CSK, combined signing key) is fine. > And, if I decide that my existing ds at my registrar has aged > sufficiently, what is the procedure for replacement that keeps my domain > valid thru the rollover? See [4]. > Im sorry, it's just that some of these topics are not really covered > well... They are, but I admit the documentation is a bit messy. If you have an idea on how to improve this, please let us know via an issue[6]. Or, even better, open a pull-request with the changes. I hope this clarifies things for you. If not, feel free to respond on the mailinglist and we'll be happy to help. Cheers, Pieter 1 - https://doc.powerdns.com/authoritative/dnssec/modes-of-operation.html#signatures 2 - https://doc.powerdns.com/authoritative/settings.html#default-soa-edit-signed 3 - https://doc.powerdns.com/authoritative/dnssec/operational.html#soa-edit-ensure-signature-freshness-on-slaves 4 - https://doc.powerdns.com/authoritative/guides/kskroll.html 5 - https://doc.powerdns.com/authoritative/guides/zskroll.html 6 - https://github.com/PowerDNS/pdns/issues/new -- Pieter Lexis PowerDNS.COM BV -- https://www.powerdns.com _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users