Hi, I am running a hidden primary and two slaves which are exposed to the public. I would like to use DNSSEC, and keep the private keys on the hidden primary. I'm using the MySQL backend.
As far as I know, there are two (or more?) ways to set up replication: - AXFR-based. In this case, private keys are not transmitted to the slaves. - MySQL replication. In this case, the whole database is replicted, including the private keys. MySQL replication seems to be more reliable to me than AXFR replication (I observed occasional timeouts with AXFR zone updates, especially intercontinentally), and also more real-time. I am looking for a reliable way of replication without replicating private keys. I can think of two ways: - Set up PowerDNS to write RRSIG etc. records to the records table (i.e. "managed DNSSEC" like in live mode, but saved to the database). Then, replicate only certain MySQL tables. Is it possible to set up PowerDNS in this way>? - Run a second PowerDNS instance locally (along with the hidden primary) which retrieves zones via AXFR, hopefully very reliably (since locally), and then use MySQL replication from this instance to the public slaves. Which way do you think is best? Are there any other ways to achieve this? Thanks! Best, Peter -- OpenPGP Key: 0x3EF22D2F
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
