On Thu, Jan 06, 2011 at 11:55:24AM -0500, Mathew Hennessy wrote: > Excellent! BTW, can PowerDNSSEC operate in the following way as one would > expect: > > PowerDNS supermaster which has DNSSEC RRs but doesn't do DNSSEC (aka > traditional PowerDNS) providing data to PowerDNS slaves. If you use the > new code with a compatible backend on the slaves (such as gsqlite3), and > your whois servers only point to those slaves, will it work?
Almost! If you did that up till just now, you would have had to run 'pdnssec rectify-zone' on your slaves after each AXFR. However, thank you for raising this idea, this sounds like a very valid use case. It has just been implemented in changeset http://wiki.powerdns.com/trac/changeset/1819 I tested it against an ancient server, and now I have a fully operational DNSSEC zone! It works fully automatic on retrieving a zone for which we have local keying material. In this way, PowerDNSSEC can now be used to 'dnssec-ify' existing data, a bit like 'phreebird'. http://freshmeat.net/projects/phreebird Bert > > Thanks, > = Matt > > On Jan 6, 2011, at 10:13, bert hubert wrote: > > > Dear PowerDNS Community, > > > > With the help of many of you, we've now brought 'PowerDNSSEC' to the point > > where it might make sense for you to trial it on test domains. We expect to > > make move some of our own important domains over to PowerDNSSEC early next > > week. PowerDNS.COM underlies the commercial DNS hosting service 'Express', > > and may have to wait a bit longer. > > > > To test, head over to http://www.powerdnssec.org (which of course is powered > > by PowerDNSSEC). More information is on > > http://wiki.powerdns.com/trac/wiki/PDNSSEC - including how to get started, > > and how to get help. > > > > In brief, PowerDNSSEC will allow you to continue operating as normal in many > > cases, with only slight changes to your installation. There is no need to > > run signing tools, nor is there a need to rotate keys or run scripts. > > > > Particularly, if you run with Generic MySQL, Generic PostgreSQL or Generic > > SQLite3, you should have an easy time. A small schema update is required, > > plus an invocation of 'pdnssec secure-zone domain-name && pdnssec > > rectify-zone domain-name' per domain you want to secure. And that should be > > it. > > > > Supported are: > > * NSEC > > * NSEC3 in ordered mode (pre-hashed records) > > * NSEC3 in narrow mode (unmodified records) > > * Zone transfers (for NSEC) > > * Import of 'standard' private keys from BIND/NSD > > * Export of 'standard' private keys > > * RSASHA1 > > * "Pure" PostgreSQL, SQLite3 & MySQL operations > > * Hybrid BIND/PostgreSQL/SQLite3/MySQL operation > > > > To join the fun, download the tarball which can be found on the sites above, > > and let us know how it works for you! > > > > To clarify, we do not recommend taking the current code snapshot into > > production, but we are getting close. > > > > Kind regards, > > Bert > > _______________________________________________ > > Pdns-users mailing list > > [email protected] > > http://mailman.powerdns.com/mailman/listinfo/pdns-users > > _______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
