HI Peter So as you said key rollovers are not mandate,so that means if i created ksk and zsk for a domain so that will last long during a zone lifecycle till its live and secured So i am new to dnssec can you please give me the best practice in handling keys like when should i intentionally go for a key rollover and which key is to be rollovered ksk or zsk or both and how frequent. Please show some light on this.
Thanks & Regards Parth Monga Net4 India Ltd Date: Fri, 13 Apr 2012 13:30:37 +0200 From: Peter van Dijk <[email protected]> Subject: Re: [Pdns-users] Pdns-users Digest, Vol 111, Issue 16 To: pdns-users Users <[email protected]> Message-ID: <[email protected]> Content-Type: text/plain; charset=iso-8859-1 Hi, On Apr 13, 2012, at 13:25 , PARTH MONGA wrote: > Hi Peter > > Can you please also update me about > how to set NSEC3 narrow settings for a secured zone and how to do the same in NSEC3 inclusive mode. Please read http://doc.powerdns.com/pdnssec.html http://doc.powerdns.com/domainmetadata.html > And as Jose said in the very first reply,Can you please confirm me that do i have to perform a key rollover if i make any changes in a secure zone or PDNS manages that part automatically. Key rollovers are never mandatory (except when changing from NSEC to NSEC3 on a domain where DS records have already been published to the parent). PDNS does not manage key rollovers automatically, by the way. Kind regards, -- Peter van Dijk Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ On Sat, Apr 14, 2012 at 3:30 PM, <[email protected]> wrote: > Send Pdns-users mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > http://mailman.powerdns.com/mailman/listinfo/pdns-users > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Pdns-users digest..." > > > Today's Topics: > > 1. Re: Pdns-users Digest, Vol 111, Issue 16 (PARTH MONGA) > 2. Re: Pdns-users Digest, Vol 111, Issue 16 (Peter van Dijk) > 3. Re: Strange recursor TTL behaviour for specific host > (Wouter de Jong) > 4. Re: Strange recursor TTL behaviour for specific host > (Peter van Dijk) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 13 Apr 2012 16:55:10 +0530 > From: PARTH MONGA <[email protected]> > Subject: Re: [Pdns-users] Pdns-users Digest, Vol 111, Issue 16 > To: [email protected] > Cc: [email protected] > Message-ID: > <CACBBYcN_nV0PMZNhH7SCQ3dcxLx2p60V2_jPm=rwtxtx+ak...@mail.gmail.com > > > Content-Type: text/plain; charset="iso-8859-1" > > Hi Peter > > Thanks a lot for the valuable input. > Appreciated!!!!!!! > So i think am close to wrap up my installation with 9 nodes in the cluster > Can you please also update me about > how to set NSEC3 narrow settings for a secured zone and how to do the same > in NSEC3 inclusive mode. > > And as Jose said in the very first reply,Can you please confirm me that do > i have to perform a key rollover if i make any changes in a secure zone or > PDNS manages that part automatically. > > Info would of great help in my setup. > Really appreciated your's and jose input on my queries > > Thanks a lot > > Best Regards > Parth Monga > > > 2-When it is advised to roll over the keys in DNSSEC secured zones.DO i > have to roll over the keys each time when i make changes to a secured zone > data(like changing A records or Mx Records) or it will be automatically > taken care by PDNS.Please elaborate this key roll over mechanism,a lot of > confusion is there.. > > Taken from the manual: > > "PowerDNS supports serving pre-signed zones, as well as online > ('live') signed operations. In the last case, Signature Rollover and > Key Maintenance are fully managed by PowerDNS." > > When you add / remove records, you need to call 'pdnssec rectify-zone > example.com' to make sure that the records orders are set properly. > This is important to use NSEC, that need the record before and after > to give a signed denial of existence. As far I remember, the field > content is not use in NSEC, so you can change this at will. > > > > > On Fri, Apr 13, 2012 at 3:30 PM, <[email protected] > >wrote: > > > Send Pdns-users mailing list submissions to > > [email protected] > > > > To subscribe or unsubscribe via the World Wide Web, visit > > http://mailman.powerdns.com/mailman/listinfo/pdns-users > > or, via email, send a message with subject or body 'help' to > > [email protected] > > > > You can reach the person managing the list at > > [email protected] > > > > When replying, please edit your Subject line so it is more specific > > than "Re: Contents of Pdns-users digest..." > > > > > > Today's Topics: > > > > 1. Re: Huge PDNS+DNSSEC setup-Need help (Peter van Dijk) > > > > > > ---------------------------------------------------------------------- > > > > Message: 1 > > Date: Fri, 13 Apr 2012 10:58:00 +0200 > > From: Peter van Dijk <[email protected]> > > Subject: Re: [Pdns-users] Huge PDNS+DNSSEC setup-Need help > > To: pdns-users Users <[email protected]> > > Message-ID: <[email protected]> > > Content-Type: text/plain; charset=iso-8859-1 > > > > Hi, > > > > On Apr 13, 2012, at 10:37 , PARTH MONGA wrote: > > > > > That for sure i will go with NSEC3 but whom to actually hit > > > NSEC3-inclusive or NSEC3-narrow > > > > > > Please advice as not able to figure the difference between both NSEC3 > > modes. > > > > Benefits of narrow mode: > > - order name field does not matter (auth field still does) > > - no brute forcing calculation of names in your zones > > > > Downsides of narrow mode: > > - you cannot have AXFR slaves, all slaves need to be NATIVE (which would > > work for you) > > > > Benefits of inclusive mode: > > - behaviour is closer to what other name servers do, easier to understand > > when you get a DNSSEC expert to debug something > > - receives more testing than narrow > > > > Kind regards, > > -- > > Peter van Dijk > > Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ > > > > > > > > ------------------------------ > > > > _______________________________________________ > > Pdns-users mailing list > > [email protected] > > http://mailman.powerdns.com/mailman/listinfo/pdns-users > > > > > > End of Pdns-users Digest, Vol 111, Issue 16 > > ******************************************* > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://mailman.powerdns.com/pipermail/pdns-users/attachments/20120413/dcdc8ac7/attachment.html > > > > ------------------------------ > > Message: 2 > Date: Fri, 13 Apr 2012 13:30:37 +0200 > From: Peter van Dijk <[email protected]> > Subject: Re: [Pdns-users] Pdns-users Digest, Vol 111, Issue 16 > To: pdns-users Users <[email protected]> > Message-ID: <[email protected]> > Content-Type: text/plain; charset=iso-8859-1 > > Hi, > > On Apr 13, 2012, at 13:25 , PARTH MONGA wrote: > > > Hi Peter > > > > Can you please also update me about > > how to set NSEC3 narrow settings for a secured zone and how to do the > same in NSEC3 inclusive mode. > > Please read > http://doc.powerdns.com/pdnssec.html > http://doc.powerdns.com/domainmetadata.html > > > And as Jose said in the very first reply,Can you please confirm me that > do i have to perform a key rollover if i make any changes in a secure zone > or PDNS manages that part automatically. > > Key rollovers are never mandatory (except when changing from NSEC to NSEC3 > on a domain where DS records have already been published to the parent). > PDNS does not manage key rollovers automatically, by the way. > > Kind regards, > -- > Peter van Dijk > Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ > > > > ------------------------------ > > Message: 3 > Date: Fri, 13 Apr 2012 17:59:08 +0200 > From: Wouter de Jong <[email protected]> > Subject: Re: [Pdns-users] Strange recursor TTL behaviour for specific > host > To: pdns-users Users <[email protected]> > Message-ID: <[email protected]> > Content-Type: text/plain; charset=us-ascii > > Hi Peter, > > On Thu, Apr 12, 2012 at 08:09:01PM +0200, Peter van Dijk wrote: > > > > As you can see, TTL 37 -> 34 -> 30 -> 27 -> 24 -> 32 > > > > > > I'm wondering what could be causing this ? > > > > Try threads=1 in recursor.conf. If that causes it, there is no need for > alarm :) > > Great, that seems to explain it indeed :) > > Apparently, default threads= setting > 1 ? > > Best regards, > > Wouter > > > ------------------------------ > > Message: 4 > Date: Sat, 14 Apr 2012 11:10:39 +0200 > From: Peter van Dijk <[email protected]> > Subject: Re: [Pdns-users] Strange recursor TTL behaviour for specific > host > To: pdns-users Users <[email protected]> > Message-ID: <[email protected]> > Content-Type: text/plain; charset=us-ascii > > Hi Wouter, > > On Apr 13, 2012, at 17:59 , Wouter de Jong wrote: > > > Apparently, default threads= setting > 1 ? > > > Yes - see 'pdns_recursor --config' for all defaults. > > Kind regards, > -- > Peter van Dijk > Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ > > > > ------------------------------ > > _______________________________________________ > Pdns-users mailing list > [email protected] > http://mailman.powerdns.com/mailman/listinfo/pdns-users > > > End of Pdns-users Digest, Vol 111, Issue 17 > *******************************************
_______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
