Re: [Pdns-users] DNSSEC and

[Xan Charbonnet via Pdns-users]

Frank,

I so appreciate your help.  It sounds like my intended configuration 
should be fine, then.  I might suggest to the powers that be that the 
documentation address this question.


The reason I have two servers is for redundancy, so I'll probably give 
both instances write access, but as you say that should work fine.


Thanks again,
Xan




On 8/22/23 07:45, Frank Louwers wrote:

Hi Xan,

The weekly changes are not key rollovers, they are RRSIG 
updates/resignings. These are done on the fly (in online mode), and not 
stored in the database.


The backend only contains the ZSK/KSK/CSK, which will only change if you 
issue a command to roll them. Even if you would issue the change command 
on both servers, the new keys would be stored in the unique database if 
you have just 1 backend database, so both would use the new key (there 
might be short-term caching issues). Personally, I would only configure 
1 of the PowerDNS servers to have write access to the backend DB, the 
other ones would just have SELECT privileges on the db.


Cheers,

Frank




On 22 Aug 2023, at 14:25, Xan Charbonnet  wrote:

Thank you, Frank.

I am aiming to do online signing, but my concern is the weekly key 
rollover.  Wouldn't both PowerDNS instances attempt to perform key 
rollover on the same database at the same time?  Do they not step on 
each other's toes?


-Xan



On 8/22/23 07:03, Frank Louwers via Pdns-users wrote:

Hi Xan,
It depends which DNSSEC you choose. If you would pick "Online 
Signing" for instance (great unless you have very busy servers with 
lots of domains), the "keying data" is stored in the database as 
well, so both servers would use the same data to sign the zone, 
resulting in consistent signatures (as long as your MariaDB 
replication isn't broken).

Seehttps://doc.powerdns.com/authoritative/dnssec/modes-of-operation.html#online-signing 
> 
for more info and other ways of turning on DNSSEC on PowerDNS.
Frank
Frank Louwers
PowerDNS Certified Consultant @ Kiwazo.be
On 21 Aug 2023, at 17:03, Xan Charbonnet via Pdns-users 
 wrote:


Hello everyone,

We've been successfully using PowerDNS for some time, and are 
looking into enabling DNSSEC.


If two PowerDNS authoritative servers are set up for native 
replication, sharing a single MariaDB backend where the database is 
replicated using MariaDB's replication, how would DNSSEC be enabled? 
 If I just turn it on, wouldn't the two servers step on each other's 
toes when it came time to do a key rollover?  Or is that not a problem?


Thanks in advance.
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com 
https://mailman.powerdns.com/mailman/listinfo/pdns-users 




___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] DNSSEC and

[Frank Louwers via Pdns-users]

Hi Xan,

The weekly changes are not key rollovers, they are RRSIG updates/resignings. 
These are done on the fly (in online mode), and not stored in the database. 

The backend only contains the ZSK/KSK/CSK, which will only change if you issue 
a command to roll them. Even if you would issue the change command on both 
servers, the new keys would be stored in the unique database if you have just 1 
backend database, so both would use the new key (there might be short-term 
caching issues). Personally, I would only configure 1 of the PowerDNS servers 
to have write access to the backend DB, the other ones would just have SELECT 
privileges on the db.

Cheers,

Frank



> On 22 Aug 2023, at 14:25, Xan Charbonnet  wrote:
> 
> Thank you, Frank.
> 
> I am aiming to do online signing, but my concern is the weekly key rollover.  
> Wouldn't both PowerDNS instances attempt to perform key rollover on the same 
> database at the same time?  Do they not step on each other's toes?
> 
> -Xan
> 
> 
> 
> On 8/22/23 07:03, Frank Louwers via Pdns-users wrote:
>> Hi Xan,
>> It depends which DNSSEC you choose. If you would pick "Online Signing" for 
>> instance (great unless you have very busy servers with lots of domains), the 
>> "keying data" is stored in the database as well, so both servers would use 
>> the same data to sign the zone, resulting in consistent signatures (as long 
>> as your MariaDB replication isn't broken).
>> See 
>> https://doc.powerdns.com/authoritative/dnssec/modes-of-operation.html#online-signing
>>  for more info and other ways of turning on DNSSEC on PowerDNS.
>> Frank
>> Frank Louwers
>> PowerDNS Certified Consultant @ Kiwazo.be
>>> On 21 Aug 2023, at 17:03, Xan Charbonnet via Pdns-users 
>>>  wrote:
>>> 
>>> Hello everyone,
>>> 
>>> We've been successfully using PowerDNS for some time, and are looking into 
>>> enabling DNSSEC.
>>> 
>>> If two PowerDNS authoritative servers are set up for native replication, 
>>> sharing a single MariaDB backend where the database is replicated using 
>>> MariaDB's replication, how would DNSSEC be enabled?  If I just turn it on, 
>>> wouldn't the two servers step on each other's toes when it came time to do 
>>> a key rollover?  Or is that not a problem?
>>> 
>>> Thanks in advance.
>>> ___
>>> Pdns-users mailing list
>>> Pdns-users@mailman.powerdns.com
>>> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>> ___
>> Pdns-users mailing list
>> Pdns-users@mailman.powerdns.com 
>> https://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] DNSSEC and

[Xan Charbonnet via Pdns-users]

Thank you, Frank.

I am aiming to do online signing, but my concern is the weekly key 
rollover.  Wouldn't both PowerDNS instances attempt to perform key 
rollover on the same database at the same time?  Do they not step on 
each other's toes?


-Xan



On 8/22/23 07:03, Frank Louwers via Pdns-users wrote:

Hi Xan,

It depends which DNSSEC you choose. If you would pick "Online Signing" 
for instance (great unless you have very busy servers with lots of 
domains), the "keying data" is stored in the database as well, so both 
servers would use the same data to sign the zone, resulting in 
consistent signatures (as long as your MariaDB replication isn't broken).


See 
https://doc.powerdns.com/authoritative/dnssec/modes-of-operation.html#online-signing  for more info and other ways of turning on DNSSEC on PowerDNS.


Frank


Frank Louwers
PowerDNS Certified Consultant @ Kiwazo.be

On 21 Aug 2023, at 17:03, Xan Charbonnet via Pdns-users 
 wrote:


Hello everyone,

We've been successfully using PowerDNS for some time, and are looking 
into enabling DNSSEC.


If two PowerDNS authoritative servers are set up for native 
replication, sharing a single MariaDB backend where the database is 
replicated using MariaDB's replication, how would DNSSEC be enabled? 
 If I just turn it on, wouldn't the two servers step on each other's 
toes when it came time to do a key rollover?  Or is that not a problem?


Thanks in advance.
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users



___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] DNSSEC and

[Frank Louwers via Pdns-users]

Hi Xan,

It depends which DNSSEC you choose. If you would pick "Online Signing" for 
instance (great unless you have very busy servers with lots of domains), the 
"keying data" is stored in the database as well, so both servers would use the 
same data to sign the zone, resulting in consistent signatures (as long as your 
MariaDB replication isn't broken).

See 
https://doc.powerdns.com/authoritative/dnssec/modes-of-operation.html#online-signing
 for more info and other ways of turning on DNSSEC on PowerDNS.

Frank


Frank Louwers
PowerDNS Certified Consultant @ Kiwazo.be

> On 21 Aug 2023, at 17:03, Xan Charbonnet via Pdns-users 
>  wrote:
> 
> Hello everyone,
> 
> We've been successfully using PowerDNS for some time, and are looking into 
> enabling DNSSEC.
> 
> If two PowerDNS authoritative servers are set up for native replication, 
> sharing a single MariaDB backend where the database is replicated using 
> MariaDB's replication, how would DNSSEC be enabled?  If I just turn it on, 
> wouldn't the two servers step on each other's toes when it came time to do a 
> key rollover?  Or is that not a problem?
> 
> Thanks in advance.
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users