Hello,
On 22 Feb 2016, at 12:20, l...@hosting.de wrote:
> Out of curiosity, why are you signing outside of PowerDNS instead of
with PowerDNS itself?
> ...
> Second, have you looked at AXFRing the zones in from your signing
solution, instead of mangling a presigned zone until PowerDNS likes
it?
> If you let PowerDNS do the AXFR in, all the throwing away of records
etc. happens automatically.
As described, we created a signing server only reachable internally
for security reasons. This means all private keys are stored on this
system and all signing is done there. Since pdns synthesizes the
DNSSEC records it is not possible, besides via AXFR, to export and
transfer these records. Therefore we decided to use LDNS for signing.
Understood. Of course AXFR is a fine export method, and the resulting
file should be similar to your LDNS results.
> Are you running into problems with the ‘synthesized’ NSEC(3)s?
Currently we have to create those empty traversals in order to get the
correct NSEC records synthesized. Since signing with LDNS already
gives us all necessary NSEC records it would be easier to just use
those.
Can you clarify what you mean by empty traversals? What is your full
procedure for serving a lens-signed zone file with PowerDNS today?
Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/
_______________________________________________
Pdns-dev mailing list
Pdns-dev@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-dev
