Re: [Pdns-users] DNSSEC and Master/Slave setup

2011-02-03 Thread bert hubert 
On Thu, Feb 03, 2011 at 08:44:08AM +0100, Christof Meerwald wrote:
 I kind of expected this to happen today - the master (ns.cmeerw.net)
 with the keying material has now updated the RRSIG records, but the
 slave (ns2.cmeerw.net, no keying material) still returns the old RRSIG
 records:

Indeed, this is an issue we've been pondering for a while now. OpenDNSSEC,
and dnssec-signzone all deal with it in some way.

 ;  DiG 9.7.1-P2  +dnssec -t soa cmeerw.priv.at @ns2.cmeerw.net
 ;; ANSWER SECTION:
 cmeerw.priv.at.   28800   IN  RRSIG   SOA 8 3 28800 
 2011021000 2011012700 9895 cmeerw.priv.at. 
 b6IVcHFLnJvuL1T+OVXDDiuPOPbooVgpNHw8SI21cXoo2Q2v89+UQd7+ 
 H/SVjFYPL5RLjyCIcGWIJOrx5Wssg8vqbVqvkaG/AGmyZqhu5S5dVo1b 
 ipK32UrcYrsknkYmzYaHD3ew2ka9hwZYND5MK+g3FNAJxnj3fJEiHEvG Lzo=
 cmeerw.priv.at.   28800   IN  SOA ns.cmeerw.net. 
 domain.cmeerw.net. 2010080601 3600 900 1814400 3600
 
 
 Is there any better solution than having to run a script each week on
 the master server to update the SOA serial number and reload the zone
 (so the slave gets notified of the change and does an AXFR)?

This will obviously have to be automated, but we're not sure how. The more
general case is where PowerDNS operates like OpenDNSSEC, as a 'signing
proxy'. In this case there is an 'original serial' from the unsigned master,
which tells us when the original changed.

Secondly, there is the 'signed serial' which will have to change once a week
at least, but also whenever the 'original serial' changes.

In your case, where PowerDNS merely does the signing, things are a bit
simpler, but stil not trivial. 

We obviously need to come up with something smart! Thinking out loud a bit.

A problem is that the SOA serial is 32 bits, and often filled out like this:

4294967296
2011020300 .. 2011020301 .. 2011020302 etc

This means that if we do the 'obvious' and leave the first six digits alone,
we can only do 99 increments, which is not enough by a long shot.

However, '20110203' only encodes a day number, and there have been 15008
days since the beginning of the epoch. What we could do is convert a
'date-formed SERIAL' to a more compact form, and leave loads of room for
autincrementing the serial.

So 2011020312 ('the 12th increment on the 3rd of February 2011') could be
converted to:

3AA00Cnn

This still only gives us 256 increments before things turn nasty.

Ideas?

I prefer a solution where we don't actually increment the serial in the
database but overlay it with something that autoincrements ('weeks since
january first 2011').

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] signingpipe.hh not in snapshot 1964

2011-02-03 Thread M Techter 


Hi, 

being interested in DNSSEC support of pdns, I tried 
to build from the 

 pdns-3.0-pre.20110202.1964
  
snapshot. 

Doing 

  ./configure --cache-file=/tmp/config.cache --with-modules=  
  CC=ccache gcc  make

I ran up in the compilation error: 

tcpreceiver.cc:48:26: error: signingpipe.hh: No such file or directory


The file 

./signingpipe.hh  

--though included in ./tcpreceiver.cc-- is not part of the tarball

./pdns-3.0-pre.20110202.1964.tar.gz

best 
regards 

max.

PS 

   getting the source via 

   svn co svn://svn.powerdns.com/pdns/trunk/pdns pdns   

   then adding file ./signingpipe.hh to the 1964 snapshot, 
   compilation succeeds.

   The System: 

   uml guest on Debian 5.0.8 with Debian vanilla kernel: 

   Linux 2.6.26-2-amd64 #1 SMP x86_64 GNU/Linux



pgptM8d1Bwj2O.pgp
Description: PGP signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] signingpipe.hh not in snapshot 1964

2011-02-03 Thread bert hubert 
On Thu, Feb 03, 2011 at 09:25:04PM +0100, M Techter wrote:
 being interested in DNSSEC support of pdns, I tried 
 to build from the 
 
pdns-3.0-pre.20110202.1964

Good catch - we fixed the issue in SVN already. Meanwhile, 
http://powerdnssec.org/downloads/pdns-3.0-pre.20110203.1972.tar.gz is
available with this  other fixes.

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users