[Pdns-users] DNSSEC with MySQL backend and replication

Thu, 16 May 2019 03:01:41 -0700 

Hi,

Just a few queries on implementing DNSSec with a MySQL backend, if I could 
trouble someone for their thoughts an recommendations?

Currently our PowerDNS Auth infra looks like below:


    +-----------------+                          +-----------------+
    | PowerDNS Auth B |                          | PowerDNS Auth C |
    +-----------------+                          +-----------------+
    |  MYSQL SLAVE    |                          |  MYSQL SLAVE    |
    +-------^---------+                          +-------^---------+
            |                                            |
            |                                            |
            |              +--------------+              |
            |              |  PowerAdmin  |              |
MASTER/SLAVE|              +------+-------+              |MASTER/SLAVE
REPLICATION |                     |                      |REPLICATION
            |              +------v-------+              |
            +--------------+ MYSQL MASTER +--------------+
                           +------^-------+
                                  |
                                  |
                           +------+----------+
                           | PowerDNS Auth A |
                          +-----------------+

We currently edit records by way of PowerAdmin, which updates the master 
database directly and so "PowerDNS Auth A" instance is not actually used or 
interacted with, normally. Zone/record updates are replicated to the "edge" 
Auth servers (B and C) via MySQL replication. We would like to enable DNSSec on 
a few of our domains, at least as a proof of concept. A few questions...

I assume I need to enable gmysql-dnssec on ALL PowerDNS Auth instances (A,B and 
C)?
Will PowerDNS commands to enable DNSSec signing of a zone need executed on 
"PowerDNS Auth A" ONLY (which will add the relevant records to the database and 
replicate them to B and C)?
Given that PowerAdmin talks directly to the database, any record changes here 
likely to cause a problem with these signed domains?
Should I look at a newer GUI that implements the DNSSec commands and interacts 
with PowerDNS API instead?

Thanks in advance...

Regards,

Alun.




[Tibus 
Logo]<http://www.tibus.com/?utm_source=signature&amp;utm_medium=email>[Separator]Alun
 James
Senior Systems Engineer
T: +44 (0) 28 9033 1122
E: [email protected]<mailto:[email protected]>
W: 
www.tibus.com<http://www.tibus.com/?utm_source=signature&amp;utm_medium=email>
[http://frontend.open.ms-dev.web.tibus.net/zesty/tibus-sig-new/assets/icon-fb.png]<https://www.facebook.com/tibusDigital>
  
[http://frontend.open.ms-dev.web.tibus.net/zesty/tibus-sig-new/assets/icon-tw.png]
 <https://twitter.com/tibus>   
[http://frontend.open.ms-dev.web.tibus.net/zesty/tibus-sig-new/assets/icon-li.png]
 <https://www.linkedin.com/company/tibus>
Tibus is a wholly-owned division of Wireless.




_______________________________________________
Pdns-users mailing list
[email protected]
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Reply via email to