On Mon, 2019-10-14 at 10:57 +0200, Gert van Dijk wrote:
> On Mon, Oct 14, 2019 at 9:54 AM Mike Cardwell
> <pdns-us...@lists.grepular.com> wrote:
> > I'm looking into migrating from Bind9 to PowerDNS. [...]
>
> Have you seen the instructions on how to perform a ZSK rollover [1]?
> I
> don't see that you invoke the {activate,deactivate}-zone-key or the
> soa serial number update. (Not sure if you need a rectify-zone
> command
> too though.)Yeah, I read those instructions. I didn't do the activate/deactivate step though as it wasn't necessary, as I added the key as active immediately. I've just repeated the process but this time adding the key as inactive. Now, as soon as I deactivate the old key, the list switches from "KSK+ZSK+ZSK" to "CSK+CSK+CSK": root@ned:~# pdnsutil add-zone-key parsemail.org zsk 1024 inactive rsasha1 Added a ZSK with algorithm = 5, active=0 Requested specific key size of 1024 bits 3 root@ned:~# pdnsutil list-keys Zone Type Size Algorithm ID Locatio n Keytag --------------------------------------------------------------------- ------------- parsemail.org ZSK 1024 RSASHA1-NSEC3-SHA1 2 cryptokeys 8897 parsemail.org ZSK 1024 RSASHA1-NSEC3-SHA1 3 cryptokeys 58769 parsemail.org KSK 2048 RSASHA1-NSEC3-SHA1 1 cryptokeys 36696 root@ned:~# pdnsutil activate-zone-key parsemail.org 3 root@ned:~# pdnsutil list-keys Zone Type Size Algorithm ID Locatio n Keytag --------------------------------------------------------------------- ------------- parsemail.org ZSK 1024 RSASHA1-NSEC3-SHA1 2 cryptokeys 8897 parsemail.org ZSK 1024 RSASHA1-NSEC3-SHA1 3 cryptokeys 58769 parsemail.org KSK 2048 RSASHA1-NSEC3-SHA1 1 cryptokeys 36696 root@ned:~# pdnsutil deactivate-zone-key parsemail.org 2 root@ned:~# pdnsutil list-keys Zone Type Size Algorithm ID Locatio n Keytag --------------------------------------------------------------------- ------------- parsemail.org CSK 2048 RSASHA1-NSEC3-SHA1 1 cryptokeys 36696 parsemail.org CSK 1024 RSASHA1-NSEC3-SHA1 2 cryptokeys 8897 parsemail.org CSK 1024 RSASHA1-NSEC3-SHA1 3 cryptokeys 58769 root@ned:~# pdnsutil rectify-zone parsemail.org Adding NSEC3 hashed ordering information for 'parsemail.org' root@ned:~# pdnsutil list-keys Zone Type Size Algorithm ID Locatio n Keytag --------------------------------------------------------------------- ------------- parsemail.org CSK 2048 RSASHA1-NSEC3-SHA1 1 cryptokeys 36696 parsemail.org CSK 1024 RSASHA1-NSEC3-SHA1 2 cryptokeys 8897 parsemail.org CSK 1024 RSASHA1-NSEC3-SHA1 3 cryptokeys 58769 root@ned:~# pdnsutil remove-zone-key parsemail.org 2 root@ned:~# pdnsutil list-keys Zone Type Size Algorithm ID Locatio n Keytag --------------------------------------------------------------------- ------------- parsemail.org CSK 2048 RSASHA1-NSEC3-SHA1 1 cryptokeys 36696 parsemail.org CSK 1024 RSASHA1-NSEC3-SHA1 3 cryptokeys 58769 root@ned:~# pdnsutil rectify-zone parsemail.org Adding NSEC3 hashed ordering information for 'parsemail.org' root@ned:~# pdnsutil list-keys Zone Type Size Algorithm ID Locatio n Keytag --------------------------------------------------------------------- ------------- parsemail.org CSK 2048 RSASHA1-NSEC3-SHA1 1 cryptokeys 36696 parsemail.org CSK 1024 RSASHA1-NSEC3-SHA1 3 cryptokeys 58769 root@ned:~# > That your ZSK/KSK is listed as CSK sounds like a bug to me, though. > What is your pdns version? root@ned:~# dpkg -l|grep -i pdns ii pdns-backend-sqlite3 4.1.6- 3 amd64 sqlite 3 backend for PowerDNS ii pdns-server 4.1.6- 3 amd64 extremely powerful and versatile nameserver root@ned:~# The standard Debian 10 (Buster) 4.1.6-3 release. Regards, Mike
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
