Hi. Responses below (Peter or Bert, correct me if I'm wrong or not clear enough)
-- José Arthur Benetasso Villanova On 12/04/2012, at 22:44, PARTH MONGA <[email protected]> wrote: > HI Friends > > I am new to PowerDNS and DNSSEC and i am in the installation stage of it for > my organisation moving from BIND, planned to take over 5 lakh+ domains on it > with dnssec enabled > Details of the setup: > 9 nodes mysql cluster Geographically distributed:will be using mysql as a > backend and replication will be taken care by mysql > Each PDNS running local copy of mysql > PowerDNS version 3.0.1 > Poweradmin as gui interface > > Have following queries: > > 1-Can i have secured(DNSSEC) and unsecured zones(NORMAL ZONES) both in one > PowerDNS Server having mysql as backend? > Yes. You should sign the zone using 'pdnssec secure-zone example.com' or leave as is to not use dnssec. Please make sure that the auth field in table records is set properly. > 2-When it is advised to roll over the keys in DNSSEC secured zones.DO i have > to roll over the keys each time when i make changes to a secured zone > data(like changing A records or Mx Records) or it will be automatically taken > care by PDNS.Please elaborate this key roll over mechanism,a lot of confusion > is there.. Taken from the manual: "PowerDNS supports serving pre-signed zones, as well as online ('live') signed operations. In the last case, Signature Rollover and Key Maintenance are fully managed by PowerDNS." When you add / remove records, you need to call 'pdnssec rectify-zone example.com' to make sure that the records orders are set properly. This is important to use NSEC, that need the record before and after to give a signed denial of existence. As far I remember, the field content is not use in NSEC, so you can change this at will. > > 3-What decides when to go for NSEC or NSEC3.Please elaborate will be a great > tip for all the list users. NSEC3 mitigate the zone listing issue, so I think that is a better option. There is a pdns exclusive option called 'narrow', please read the docs about it. > 4-What is the NATIVE word in zone type.I understand master and slave,What > NATIVE refers to. NATIVE replication means any kind of replication outside DNS, like database replication (my preferred). By your description, that's the one you'll use. > > Will be posting a complete setup document once my PowerDns Cluster is up and > running so all other list members as well as community can refer to > it,Provided i get successful > Wishful thinking :) > > Thanks & Regards > Best Wishes > Parth > > _______________________________________________ > Pdns-users mailing list > [email protected] > http://mailman.powerdns.com/mailman/listinfo/pdns-users _______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
