Re: [Pdns-users] Questions on powerdnssec

[bert hubert]

On Mon, May 09, 2011 at 02:24:05PM +0100, Chris Russell wrote:
>  Firstly,  when using an external server as a recursor; can this be an IPv6 
> host ?   I have the auth server forwarding  to bind for any recursive 
> queries, this works when I specify the bind IPv4 address, but not the IPv6 
> address. Both queries work fine if querying bind from the pdns server 
> directly using dig on ipv4 or ipv6.

As of 2191 (now building) this can be IPv6 too. Odd that we missed it!

>  Secondly, when using powerdns secure-zone and the gmysql backend, I`m
> guessing rectify-zone must be ran whenever any records are created to
> resign the zone.  This being the case, does this lead to having a hidden
> master (ie: non publicly accessable) host or db in order to be slightly
> more secure [making the running of the signing process hidden] ?

There is no need to run rectify zone each time, as long as 'auth' and
'ordername' are filled out correctly. 

This is detailed in
http://doc.powerdns.com/dnssec-modes.html#dnssec-direct-database

A hidden master is indeed more secure since it separates the server from the 
keying material.

>  Finally, Is there any documentation of the validity length of the keys,
> or do these rollover automatically ?

The keys remain where they are, unless you roll them over.
http://doc.powerdns.com/powerdnssec.html explains the idea behind this,
where you have 'active' and 'passive' keys. 

http://doc.powerdns.com/dnssec-operational-doctrine.html#zsk-rollover also
has some sample command lines.

It appears there is very little benefit to automated key rollovers (unlike
say automated signature rollovers, which are very necessary).

>  Bert as you thought, this build this resolves the issue I had with mysql
> going away and the server taking a while to reconnect.  Its serving
> records from the cache just fine.

Great to hear!

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Questions on powerdnssec

[Chris Russell]

Hi All,

 Few questions on using PowerDNSsec - using the latest RPM build 
(20110509.2190-1) in our IPv6 labs. Fundamentally - PDNS auth, Bind Recursor 
and Win7 client behind router, all dual stacked.


 Firstly,  when using an external server as a recursor; can this be an IPv6 
host ?   I have the auth server forwarding  to bind for any recursive queries, 
this works when I specify the bind IPv4 address, but not the IPv6 address. Both 
queries work fine if querying bind from the pdns server directly using dig on 
ipv4 or ipv6.


 Secondly, when using powerdns secure-zone and the gmysql backend, I`m guessing 
rectify-zone must be ran whenever any records are created to resign the zone.  
This being the case, does this lead to having a hidden master (ie: non publicly 
accessable) host or db in order to be slightly more secure [making the running 
of the signing process hidden] ?

 Finally, Is there any documentation of the validity length of the keys, or do 
these rollover automatically ?


 Bert as you thought, this build this resolves the issue I had with mysql going 
away and the server taking a while to reconnect. Its serving records from the 
cache just fine.


Thanks

Chris


Knowledge I.T.
'Unifying Business Technology'
www.knowledgeit.co.uk

Knowledge Limited, Company Registration: 1554385
Registered Office: New Century House, Crowther Road, Washington, Tyne & Wear. 
NE38 0AQ
Leeds Office: Viscount Court, Leeds Road, Rothwell, Leeds. LS26 0GR

Tel: 0845 142 0020. Fax: 0845 142 0021

E-Mail Disclaimer: This e-mail message is intended to be received only by 
persons entitled to receive the confidential information it may contain. E-mail 
messages to clients of Knowledge IT may contain information that is 
confidential and legally privileged. Please do not read, copy, forward, or 
store this message unless you are an intended recipient of it. If you have 
received this message in error, please forward it to the sender and delete it 
completely from your computer system.

Please consider the environment before printing this email.
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users