On Mon, May 09, 2011 at 02:24:05PM +0100, Chris Russell wrote: > Firstly, when using an external server as a recursor; can this be an IPv6 > host ? I have the auth server forwarding to bind for any recursive > queries, this works when I specify the bind IPv4 address, but not the IPv6 > address. Both queries work fine if querying bind from the pdns server > directly using dig on ipv4 or ipv6.
As of 2191 (now building) this can be IPv6 too. Odd that we missed it! > Secondly, when using powerdns secure-zone and the gmysql backend, I`m > guessing rectify-zone must be ran whenever any records are created to > resign the zone. This being the case, does this lead to having a hidden > master (ie: non publicly accessable) host or db in order to be slightly > more secure [making the running of the signing process hidden] ? There is no need to run rectify zone each time, as long as 'auth' and 'ordername' are filled out correctly. This is detailed in http://doc.powerdns.com/dnssec-modes.html#dnssec-direct-database A hidden master is indeed more secure since it separates the server from the keying material. > Finally, Is there any documentation of the validity length of the keys, > or do these rollover automatically ? The keys remain where they are, unless you roll them over. http://doc.powerdns.com/powerdnssec.html explains the idea behind this, where you have 'active' and 'passive' keys. http://doc.powerdns.com/dnssec-operational-doctrine.html#zsk-rollover also has some sample command lines. It appears there is very little benefit to automated key rollovers (unlike say automated signature rollovers, which are very necessary). > Bert as you thought, this build this resolves the issue I had with mysql > going away and the server taking a while to reconnect. Its serving > records from the cache just fine. Great to hear! Bert _______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
