Hello!
I have thousands of DNSSEC presigned-signed zones which I slave with PowerDNS
(type='SLAVE'). I want to move all these zones to PowerDNS as type='MASTER'.
Basically this should be very simple:
For each zone:
BEGIN;
UPDATE domains SET type='MASTER' where id=XXX;
INSERT INTO cryptokeys .... (import the currently used ZSK+KSK)
DELETE FROM records WHERE domain_id=xxx AND type IN ('TYPE65534', 'DNSKEY',
'RRSIG');
DELETE FROM domainmetadata WHERE domain_id=XXX AND kind='PRESIGNED';
COMMIT;
I think that should be pretty safe. But I am concerned about the
dnssec-key-cache and the domain-metadata-cache.
I think to be on the safe side I would need to flush those caches with the
COMMIT;. Of course I could disable the caches at all, but I do not want to do
this permanentely because the switch from SLAVE to MASTER is customer triggered.
So, do you have any hints on how to safely import the keys without any bogus
answers of PowerDNS due to metadata and key caching?
Thanks
Klaus
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
