Re: [Pdns-users] Hhow to safely import a DNSSEC signed zone

Sat, 22 Feb 2020 14:22:10 -0800

Answering myself after reading the code: The trick is to do below steps NOT in a single transaction but one step after other, considering the respective cache TTLs.
PowerDNS priorizes presigned zones over self signing. Hence, the correct order is: 

UPDATE domains SET type='MASTER' where id=XXX;

INSERT INTO cryptokeys .... (import the currently used ZSK+KSK);
sleep(dnssec-key-cache-ttl)

DELETE FROM domainmetadata WHERE domain_id=XXX AND kind='PRESIGNED';
sleep(domain-metadata-cache-ttl)


DELETE FROM records WHERE domain_id=xxx AND type IN 
('TYPE65534','DNSKEY', 'RRSIG');



Eventually tweak the domainmetadata, ie. for serial bumping. Also make 
sure that there are no zone changes while doing above process.


regards
Klaus




Am 13.02.2020 um 12:59 schrieb Klaus Darilion via Pdns-users:

Hello!


I have thousands of DNSSEC presigned-signed zones which I slave with 
PowerDNS (type='SLAVE'). I want to move all these zones to PowerDNS as 
type='MASTER'.


Basically this should be very simple:

For each zone:
BEGIN;
UPDATE domains SET type='MASTER' where id=XXX;

INSERT INTO cryptokeys .... (import the currently used ZSK+KSK)


DELETE FROM records WHERE domain_id=xxx AND type IN ('TYPE65534', 
'DNSKEY', 'RRSIG');


DELETE FROM domainmetadata WHERE domain_id=XXX AND kind='PRESIGNED';
COMMIT;


I think that should be pretty safe. But I am concerned about the 
dnssec-key-cache and the domain-metadata-cache.



I think to be on the safe side I would need to flush those caches with 
the COMMIT;. Of course I could disable the caches at all, but I do not 
want to do this permanentely because the switch from SLAVE to MASTER is 
customer triggered.



So, do you have any hints on how to safely import the keys without any 
bogus answers of PowerDNS due to metadata and key caching?


Thanks
Klaus


_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users



_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users






















					Reply via email to