Re: [Pdns-users] PowerDNSSEC Slaves
On 8/06/11 11:38 PM, "Christof Meerwald" wrote: >On Wed, 08 Jun 2011 18:21:14 +1200, Craig Whitmore wrote: >[...] >> Can someone help why the slave is failing=8A > >I think one of the DNSSEC records is being truncated on the slave as >it exceeds 256 bytes - you might need to update the database schema on >the slave to allow for longer records. Thank you. It works now. I used the default database from all the documentation set up so maybe (IMHO) the default needs to be increased to some thing larger. On the slave I did.. alter table records modify content varchar(512); updated the master and it transferred and now.. dig +dnssec +sigchase +trusted-key=./trusted-keys -t A spam.co.nz @114.23.33.130 ;; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS dig +dnssec +sigchase +trusted-key=./trusted-keys -t A spam.co.nz @114.23.33.131 ;; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS I must write up a how to on getting this working as the documentation for powerdnssec is a little lacking on this matter:-) There are a couple of gotya's > >> I cannot find any documentation on slaves and powerdnssec and how it >>should >> be done properly.. > >If you happen to have non-PowerDNS slaves, you might also want to set >"SOA-EDIT" to "INCREMENT-WEEKS" in the domainmetadata table for that >domain (this isn't needed if you only have PowerDNS slaves). I am using PowerDNSSec only. Thanks > ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNSSEC Slaves
On Wed, 08 Jun 2011 18:21:14 +1200, Craig Whitmore wrote: [...] > Can someone help why the slave is failing=8A I think one of the DNSSEC records is being truncated on the slave as it exceeds 256 bytes - you might need to update the database schema on the slave to allow for longer records. > I cannot find any documentation on slaves and powerdnssec and how it should > be done properly.. If you happen to have non-PowerDNS slaves, you might also want to set "SOA-EDIT" to "INCREMENT-WEEKS" in the domainmetadata table for that domain (this isn't needed if you only have PowerDNS slaves). Christof -- http://cmeerw.org sip:cmeerw at cmeerw.org mailto:cmeerw at cmeerw.org xmpp:cmeerw at cmeerw.org ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] PowerDNSSEC Slaves
Hi there. I am testing powerdnssec with one of my domains spam.co.nz I have 2 PowerDNSSEC servers set up one as master and one as slave. I have used the normal powerdns for a long time with no problems Both set up using gmysql backends (one on each) ,adding the data into the master mysql database and they replicate via zone transfers all ok into the slave mysql database; I set up as in the instructions for the domain Spam.co.nz Master.. pdnssec secure-zone spam.co.nz And gmysql-host=127.0.0.1 gmysql-user=root gmysql-password= gmysql-dbname=pdns gmysql-dnssec master=yes Slave pdnssec set-presigned spam.co.nz (set the domain to be presigned as its coming from ns1) gmysql-host=127.0.0.1 gmysql-user=root gmysql-password= gmysql-dbname=pdns gmysql-dnssec' slave=yes I can update 114.23.33.130 and it updates on 114.23.33.131 Testing.. dig +dnssec T A spam.co.nz @114.23.33.130 gives spam.co.nz. 86400 IN A 114.23.33.130 spam.co.nz. 86400 IN RRSIG A 8 3 86400 2011061600 2011060200 45201 spam.co.nz. G8dEGkabnpInz47441Q6nUZkil0fBOjzll1jTRC8qGLx17baG7b30stf aNcRlVvWncvRWvjzMpWocKfUQJuGC5+F7rPLDVK/rRO4L7DATjEZ95eC tw2YfKEZHivKZbOlAEHKncd6A/VV4IOHRpl1ebx6/yQ8Vr36tojI06RW k9k= dig +dnssec T A spam.co.nz @114.23.33.130 spam.co.nz. 86400 IN RRSIG A 8 3 86400 2011061600 2011060200 45201 spam.co.nz. G8dEGkabnpInz47441Q6nUZkil0fBOjzll1jTRC8qGLx17baG7b30stf aNcRlVvWncvRWvjzMpWocKfUQJuGC5+F7rPLDVK/rRO4L7DATjEZ95eC tw2YfKEZHivKZbOlAEHKncd6A/VV4IOHRpl1ebx6/yQ8Vr36tojI06RW k9k= spam.co.nz. 86400 IN A 114.23.33.130 So I extract the keys .. pdnssec export-zone-dnskeys spam.co.nz 1 | grep DNSKEY > trustedkey And test on 114.23.33.130 dig +dnssec +sigchase +trusted-key=./trustedkey t A spam.co.nz @114.23.33.130 And.. .. .. ;; WE HAVE MATERIAL, WE NOW DO VALIDATION ;; VERIFYING A RRset for spam.co.nz. with DNSKEY:45201: success ;; OK We found DNSKEY (or more) to validate the RRset ;; Ok, find a Trusted Key in the DNSKEY RRset: 22621 ;; VERIFYING DNSKEY RRset for spam.co.nz. with DNSKEY:22621: success ;; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS Works.. But dig +dnssec +sigchase +trusted-key=./trustedkey t A spam.co.nz @114.23.33.131 ;; WE HAVE MATERIAL, WE NOW DO VALIDATION ;; VERIFYING A RRset for spam.co.nz. with DNSKEY:45201: success ;; OK We found DNSKEY (or more) to validate the RRset ;; Now, we are going to validate this DNSKEY by the DS ;; the DNSKEY isn't trusted-key and there isn't DS to validate the DNSKEY: FAILED Can someone help why the slave is failing I cannot find any documentation on slaves and powerdnssec and how it should be done properly.. Thanks Craig ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNSSEC Progress: ready for a first look
On Fri, Jan 07, 2011 at 01:35:59PM +0100, Leen Besselink wrote a message of 58 lines which said: > I would expect it to need authentication tokens too. :-) In almost all registries, this is allowed only to registered registrars. So, even if someone were willing to add an EPP client to PowerDNS, it would be a waste of time. As with similar software (which perform key management), the good solution is to have a command to export the DS record, so that the PowerDNS human manager can give it to his registrar. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] PowerDNSSEC Progress: packages & production use
Dear PowerDNS Community, With the help of many of you, we've now brought 'PowerDNSSEC' to the point where it is in light production. Several of our important domains have already been migrated to the PowerDNS Authoritative Server 3.0 prereleases. Several PowerDNS users have done the same with their domains (please let us know!). We are pleased to announce the regular availability of documentation, packages and tarballs for testing. On http://powerdnssec.org/downloads/packages you will find RPM/DEB for 32-bit and 64-bit Linux. On http://powerdnssec.org/downloads you will find tarballs which can be compiled on other systems. For more information head over to http://www.powerdnssec.org (which of course is powered by PowerDNSSEC). Documentation is on http://doc.powerdns.com/powerdnssec-auth.html Even more information is on http://wiki.powerdns.com/trac/wiki/PDNSSEC - including how to get started, and how to get help. In brief, PowerDNSSEC will allow you to continue operating as normal in many cases, with only slight changes to your installation. There is no need to run signing tools, nor is there a need to rotate keys or run scripts. Particularly, if you run with Generic MySQL, Generic PostgreSQL or Generic SQLite3, you should have an easy time. A small schema update is required, plus an invocation of 'pdnssec secure-zone domain-name ; pdnssec rectify-zone domain-name' per domain you want to secure. And that should be it. Supported are: * NSEC * NSEC3 in ordered mode (pre-hashed records) * NSEC3 in narrow mode (unmodified records) * Zone transfers (for NSEC) * Import of 'standard' private keys from BIND/NSD * Export of 'standard' private keys * RSASHA1 * RSASHA256 * "Pure" PostgreSQL, SQLite3 & MySQL operations * Hybrid BIND/PostgreSQL/SQLite3/MySQL operation * Front-signing slaved data from legacy installations See http://doc.powerdns.com/dnssec-supported.html for more specifications. To join the fun, download the tarball and packages which can be found on the sites above, and let us know how it works for you! To clarify, we do not recommend taking the current code snapshot into heavy production, but we are getting close. Kind regards, Bert ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNSSEC Progress: ready for a first look
On Fri, Jan 07, 2011 at 11:39:59AM +0100, bert hubert wrote: > On Fri, Jan 07, 2011 at 11:24:12AM +0100, Leen Besselink wrote: > > > But their is one part I'm missing a way to hook up an EPP-client for > > sending the DS-record to the parent-zone. > > This could be added to pdnssec perhaps - is there an EPP spec somewhere? > 'pdnssec push-zone-ds powerdnssec.org epp.sidn.nl' ? > > It would probably need authentication tokens too etc. > I would expect it to need authentication tokens too. :-) Supposedly it is RFC 5910 which obsoletes RFC 4310. It's an XML format sent over HTTP(S). I've seen a few EPP implementations (not the DNSSEC-part) and they are not the same. But I don't see a reason why commands related to DNSSEC should differ. > > Are their to many TLD's that do not have the needed EPP-extensions at > > this time ? Or are their to many different > > authentication scheme's ? Probably worse, I guess for some people they > > have registrars in between. And some > > currently have EPP, but probably not many have DNSSEC yet. > > As far as I know, almost nobody has a decent DS submission gateway > standardized right now. But oddly enough, I know very little about registry > operations, so I could very well be wrong. > I understand. Maybe it does not need to be part of PowerDNSSEC (at first ?). But I did wonder at what point in time (for examlpe 5 days before key rollover) will the new DS be inserted in the database and how do you recognise it. But after reading http://wiki.powerdns.com/trac/wiki/PDNSSEC/details again it is pretty obvious PowerDNSSEC does not do a key rollover unless you ask it to do so. Somehow I missed that part the first time. Do you have any recommendations or pointers to recommendations about when key rollover should be done ? A small recommendation for the documentation: it does not mention the cryptograhic/hashing algorithms that are used (or supported) by PowerDNSSEC. I would expect the key rollover to depend on the algorithms used. > Bert ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNSSEC Progress: ready for a first look
On Fri, Jan 07, 2011 at 11:24:12AM +0100, Leen Besselink wrote: > A (possibly hidden) supermaster which does all the DNSSEC signing and > the superslaves which only do > zone-trasfers and no online DNSSEC-signing but do understand enough of > the protocol to be able to serve it. This scenario is supported with the PowerDNS hidden master, but the slaves will need to be passive in this case. I recommend NSD. PowerDNS can serve valid signed zones over AXFRs for NSEC and NSEC3 non-narrow zones (ok, for NSEC3 it is broken right now, but that can be fixed). > I ask this because I have a feeling not everyone wants their private key > material in several physical locations or > do not yet want to be hindered by the the DNSSEC-performance of the > current release for their public authoritive > servers. This is not the current operational mode of PowerDNSSEC. This may change in the future. > But their is one part I'm missing a way to hook up an EPP-client for > sending the DS-record to the parent-zone. This could be added to pdnssec perhaps - is there an EPP spec somewhere? 'pdnssec push-zone-ds powerdnssec.org epp.sidn.nl' ? It would probably need authentication tokens too etc. > Are their to many TLD's that do not have the needed EPP-extensions at > this time ? Or are their to many different > authentication scheme's ? Probably worse, I guess for some people they > have registrars in between. And some > currently have EPP, but probably not many have DNSSEC yet. As far as I know, almost nobody has a decent DS submission gateway standardized right now. But oddly enough, I know very little about registry operations, so I could very well be wrong. Bert ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNSSEC Progress: ready for a first look
On 01/06/2011 08:00 PM, bert hubert wrote: > On Thu, Jan 06, 2011 at 11:55:24AM -0500, Mathew Hennessy wrote: >> Excellent! BTW, can PowerDNSSEC operate in the following way as one would >> expect: >> >> PowerDNS supermaster which has DNSSEC RRs but doesn't do DNSSEC (aka >> traditional PowerDNS) providing data to PowerDNS slaves. If you use the >> new code with a compatible backend on the slaves (such as gsqlite3), and >> your whois servers only point to those slaves, will it work? > Almost! If you did that up till just now, you would have had to run 'pdnssec > rectify-zone' on your slaves after each AXFR. > > However, thank you for raising this idea, this sounds like a very valid use > case. > > It has just been implemented in changeset > http://wiki.powerdns.com/trac/changeset/1819 > > I tested it against an ancient server, and now I have a fully > operational DNSSEC zone! > > It works fully automatic on retrieving a zone for which we have local keying > material. > > In this way, PowerDNSSEC can now be used to 'dnssec-ify' existing data, a > bit like 'phreebird'. http://freshmeat.net/projects/phreebird > > Bert > Hi Bert, Thank you for all your work so far, it is probably a lot of work. I was thinking what about the opposite ? A (possibly hidden) supermaster which does all the DNSSEC signing and the superslaves which only do zone-trasfers and no online DNSSEC-signing but do understand enough of the protocol to be able to serve it. I guess during the zone-transfer it would update any parts of the zone that are not yet (correctly) DNSSEC-signed ? Would that also work ? Technically/DNSSEC-wise I would expect it to work but maybe you don't have the right configuration options yet. Also judging from the current documentation it currently is not a mode of operations. I ask this because I have a feeling not everyone wants their private key material in several physical locations or do not yet want to be hindered by the the DNSSEC-performance of the current release for their public authoritive servers. Most of these requirements are already handled by the SQL-replication mode of operation. I have a hunch not atleast someone out there currently runs a supermaster/superslave operation and would like to only add DNSSEC to the supermaster and only upgrade (if needed) the slaves. __ I really like how PowerDNSSEC and Phreebird are trying to lower the administrative/operational burden. But their is one part I'm missing a way to hook up an EPP-client for sending the DS-record to the parent-zone. Because when you setup the DS-record(s) at the parent-zone, you'll eventually need to update it and the point it is time when it needs to be updated is kind of dictated by the software/crypto-algoritm. So far the only effort I've seen is a some experimental/beta code created by the OpenDNSSEC-people. Any thoughts on that yet ? Or is it just to early at this point ? Are their to many TLD's that do not have the needed EPP-extensions at this time ? Or are their to many different authentication scheme's ? Probably worse, I guess for some people they have registrars in between. And some currently have EPP, but probably not many have DNSSEC yet. Anyway, when is the new DS known to PowerDNSSEC (and in the database) so communication with all parties that are involved can be initiated and how can it be recognised. Would it be enough to run some script every day for example ? I hope this is going to be a good year for everyone, Leen Besselink. >> Thanks, >> = Matt >> >> On Jan 6, 2011, at 10:13, bert hubert wrote: >> >>> Dear PowerDNS Community, >>> >>> With the help of many of you, we've now brought 'PowerDNSSEC' to the point >>> where it might make sense for you to trial it on test domains. We expect to >>> make move some of our own important domains over to PowerDNSSEC early next >>> week. PowerDNS.COM underlies the commercial DNS hosting service 'Express', >>> and may have to wait a bit longer. >>> >>> To test, head over to http://www.powerdnssec.org (which of course is powered >>> by PowerDNSSEC). More information is on >>> http://wiki.powerdns.com/trac/wiki/PDNSSEC - including how to get started, >>> and how to get help. >>> >>> In brief, PowerDNSSEC will allow you to continue operating as normal in many >>> cases, with only slight changes to your installation. There is no need to >>> run signing tools, nor is there a need to rotate keys or run scripts. >>> >>> Particularly, if you run with Generic MySQL, Generic PostgreSQL or Generic >>> SQLite3, you should have an easy time. A small schema update is required, >>> plus an invocation of 'pdnssec secure-zone domain-name && pdnssec >>> rectify-zone domain-name' per domain you want to secure. And that should be >>> it. >>> >>> Supported are: >>> * NSEC >>> * NSEC3 in ordered mode (pre-hashed records) >>> * NSEC3 in narrow mode (unmodified records) >>> * Zone transfers (for NSEC) >>> * Import of 'standard' private keys from BIND/NSD
Re: [Pdns-users] PowerDNSSEC Progress: ready for a first look
would be an excellent "way into dnssec". This wouldn't require any change to the existing (non-dnssec) powerdns setups, and would allow us to test with "real" things, easily migrate single domains to a dnssec setup (just change the nameservers), rollback when needed to the old and tested setup etc. Am I correct that this would only work via AXFR style transfers from the non-dnssec pdns to the new pdns-dnssec slaves? Frank On 06 Jan 2011 wk 1, at 20:00, bert hubert wrote: > On Thu, Jan 06, 2011 at 11:55:24AM -0500, Mathew Hennessy wrote: >> Excellent! BTW, can PowerDNSSEC operate in the following way as one would >> expect: >> >> PowerDNS supermaster which has DNSSEC RRs but doesn't do DNSSEC (aka >> traditional PowerDNS) providing data to PowerDNS slaves. If you use the >> new code with a compatible backend on the slaves (such as gsqlite3), and >> your whois servers only point to those slaves, will it work? > > Almost! If you did that up till just now, you would have had to run 'pdnssec > rectify-zone' on your slaves after each AXFR. > > However, thank you for raising this idea, this sounds like a very valid use > case. > > It has just been implemented in changeset > http://wiki.powerdns.com/trac/changeset/1819 > > I tested it against an ancient server, and now I have a fully > operational DNSSEC zone! > > It works fully automatic on retrieving a zone for which we have local keying > material. > > In this way, PowerDNSSEC can now be used to 'dnssec-ify' existing data, a > bit like 'phreebird'. http://freshmeat.net/projects/phreebird > > Bert > >> >> Thanks, >> = Matt >> >> On Jan 6, 2011, at 10:13, bert hubert wrote: >> >>> Dear PowerDNS Community, >>> >>> With the help of many of you, we've now brought 'PowerDNSSEC' to the point >>> where it might make sense for you to trial it on test domains. We expect to >>> make move some of our own important domains over to PowerDNSSEC early next >>> week. PowerDNS.COM underlies the commercial DNS hosting service 'Express', >>> and may have to wait a bit longer. >>> >>> To test, head over to http://www.powerdnssec.org (which of course is powered >>> by PowerDNSSEC). More information is on >>> http://wiki.powerdns.com/trac/wiki/PDNSSEC - including how to get started, >>> and how to get help. >>> >>> In brief, PowerDNSSEC will allow you to continue operating as normal in many >>> cases, with only slight changes to your installation. There is no need to >>> run signing tools, nor is there a need to rotate keys or run scripts. >>> >>> Particularly, if you run with Generic MySQL, Generic PostgreSQL or Generic >>> SQLite3, you should have an easy time. A small schema update is required, >>> plus an invocation of 'pdnssec secure-zone domain-name && pdnssec >>> rectify-zone domain-name' per domain you want to secure. And that should be >>> it. >>> >>> Supported are: >>> * NSEC >>> * NSEC3 in ordered mode (pre-hashed records) >>> * NSEC3 in narrow mode (unmodified records) >>> * Zone transfers (for NSEC) >>> * Import of 'standard' private keys from BIND/NSD >>> * Export of 'standard' private keys >>> * RSASHA1 >>> * "Pure" PostgreSQL, SQLite3 & MySQL operations >>> * Hybrid BIND/PostgreSQL/SQLite3/MySQL operation >>> >>> To join the fun, download the tarball which can be found on the sites above, >>> and let us know how it works for you! >>> >>> To clarify, we do not recommend taking the current code snapshot into >>> production, but we are getting close. >>> >>> Kind regards, >>> Bert >>> ___ >>> Pdns-users mailing list >>> Pdns-users@mailman.powerdns.com >>> http://mailman.powerdns.com/mailman/listinfo/pdns-users >> >> > ___ > Pdns-users mailing list > Pdns-users@mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users Frank -- Frank Louwers Operations -- Openminds bvbahttp://openminds.be fr...@openminds.be +32.9 225 82 91 Schrijf je nu in op onze nieuwsbrief: http://openminds.be/nieuwsbrief ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNSSEC Progress: ready for a first look
On Thu, Jan 06, 2011 at 11:55:24AM -0500, Mathew Hennessy wrote: > Excellent! BTW, can PowerDNSSEC operate in the following way as one would > expect: > > PowerDNS supermaster which has DNSSEC RRs but doesn't do DNSSEC (aka > traditional PowerDNS) providing data to PowerDNS slaves. If you use the > new code with a compatible backend on the slaves (such as gsqlite3), and > your whois servers only point to those slaves, will it work? Almost! If you did that up till just now, you would have had to run 'pdnssec rectify-zone' on your slaves after each AXFR. However, thank you for raising this idea, this sounds like a very valid use case. It has just been implemented in changeset http://wiki.powerdns.com/trac/changeset/1819 I tested it against an ancient server, and now I have a fully operational DNSSEC zone! It works fully automatic on retrieving a zone for which we have local keying material. In this way, PowerDNSSEC can now be used to 'dnssec-ify' existing data, a bit like 'phreebird'. http://freshmeat.net/projects/phreebird Bert > > Thanks, > = Matt > > On Jan 6, 2011, at 10:13, bert hubert wrote: > > > Dear PowerDNS Community, > > > > With the help of many of you, we've now brought 'PowerDNSSEC' to the point > > where it might make sense for you to trial it on test domains. We expect to > > make move some of our own important domains over to PowerDNSSEC early next > > week. PowerDNS.COM underlies the commercial DNS hosting service 'Express', > > and may have to wait a bit longer. > > > > To test, head over to http://www.powerdnssec.org (which of course is powered > > by PowerDNSSEC). More information is on > > http://wiki.powerdns.com/trac/wiki/PDNSSEC - including how to get started, > > and how to get help. > > > > In brief, PowerDNSSEC will allow you to continue operating as normal in many > > cases, with only slight changes to your installation. There is no need to > > run signing tools, nor is there a need to rotate keys or run scripts. > > > > Particularly, if you run with Generic MySQL, Generic PostgreSQL or Generic > > SQLite3, you should have an easy time. A small schema update is required, > > plus an invocation of 'pdnssec secure-zone domain-name && pdnssec > > rectify-zone domain-name' per domain you want to secure. And that should be > > it. > > > > Supported are: > > * NSEC > > * NSEC3 in ordered mode (pre-hashed records) > > * NSEC3 in narrow mode (unmodified records) > > * Zone transfers (for NSEC) > > * Import of 'standard' private keys from BIND/NSD > > * Export of 'standard' private keys > > * RSASHA1 > > * "Pure" PostgreSQL, SQLite3 & MySQL operations > > * Hybrid BIND/PostgreSQL/SQLite3/MySQL operation > > > > To join the fun, download the tarball which can be found on the sites above, > > and let us know how it works for you! > > > > To clarify, we do not recommend taking the current code snapshot into > > production, but we are getting close. > > > > Kind regards, > > Bert > > ___ > > Pdns-users mailing list > > Pdns-users@mailman.powerdns.com > > http://mailman.powerdns.com/mailman/listinfo/pdns-users > > ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] PowerDNSSEC Progress: ready for a first look
Dear PowerDNS Community, With the help of many of you, we've now brought 'PowerDNSSEC' to the point where it might make sense for you to trial it on test domains. We expect to make move some of our own important domains over to PowerDNSSEC early next week. PowerDNS.COM underlies the commercial DNS hosting service 'Express', and may have to wait a bit longer. To test, head over to http://www.powerdnssec.org (which of course is powered by PowerDNSSEC). More information is on http://wiki.powerdns.com/trac/wiki/PDNSSEC - including how to get started, and how to get help. In brief, PowerDNSSEC will allow you to continue operating as normal in many cases, with only slight changes to your installation. There is no need to run signing tools, nor is there a need to rotate keys or run scripts. Particularly, if you run with Generic MySQL, Generic PostgreSQL or Generic SQLite3, you should have an easy time. A small schema update is required, plus an invocation of 'pdnssec secure-zone domain-name && pdnssec rectify-zone domain-name' per domain you want to secure. And that should be it. Supported are: * NSEC * NSEC3 in ordered mode (pre-hashed records) * NSEC3 in narrow mode (unmodified records) * Zone transfers (for NSEC) * Import of 'standard' private keys from BIND/NSD * Export of 'standard' private keys * RSASHA1 * "Pure" PostgreSQL, SQLite3 & MySQL operations * Hybrid BIND/PostgreSQL/SQLite3/MySQL operation To join the fun, download the tarball which can be found on the sites above, and let us know how it works for you! To clarify, we do not recommend taking the current code snapshot into production, but we are getting close. Kind regards, Bert ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNSSEC
On 06/24/2010 03:08 PM, Michael Braunoeder wrote: Hi, Hi, I'm currently evaluating the PowerDNSSEC implementation and found 2 issues: As no person which is more knowledgable answered your question, I thought I would answer with what I know. -) Is it possible to disable the signing-on-demand feature? I want the powerdns to act as slave to a hidden-master which does the signing of the domain, and the powerdns should just serve the signed zone (without any resigning and without access to the Keys). The disable the 'signing-on-demand'-feature has been discussed on this mailinglist before, the answer was: it will be optional in a future version. -) I tried the PostgreSQL-Backend, but I allways received the following error message: " TCP server is unable to launch backends - will try again when questions come in: Undefined but needed argument: 'gpgsql-dnssec'". What is the format of the missing "gpgsql-dnssec'-Parameter I've to add? I like your choose of database, but I don't have any information on the current state of this or any other bankend in combination with DNSSEC, other than I've used the 'bind-backend' (text-file). I do know that every database backend needs to implement some basic extra functions before it can work with DNSSEC. That information can be found here: http://wiki.powerdns.com/trac/wiki/PDNSSEC/backends As linked from: http://wiki.powerdns.com/trac/wiki/PDNSSEC But I did see on that page it says: "Things to be aware of Only BIND and Generic MySQL (gmysql) backend right now" It's also the same page that mentions: "Next The completely live & auto-signing nature of PowerDNSSEC is not what everyone wants. Other DNSSEC modes will be added soon." Best, Michael ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] PowerDNSSEC
Hi, I'm currently evaluating the PowerDNSSEC implementation and found 2 issues: -) Is it possible to disable the signing-on-demand feature? I want the powerdns to act as slave to a hidden-master which does the signing of the domain, and the powerdns should just serve the signed zone (without any resigning and without access to the Keys). -) I tried the PostgreSQL-Backend, but I allways received the following error message: " TCP server is unable to launch backends - will try again when questions come in: Undefined but needed argument: 'gpgsql-dnssec'". What is the format of the missing "gpgsql-dnssec'-Parameter I've to add? Best, Michael ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] PowerDNSSEC, PowerDNS @ ICANN38
Hi everybody, I'll be part of the 'DNSSEC Workgroup' over at ICANN in Brussels this coming week. There, I will present 'PowerDNSSEC' plus our vision of DNSSEC on the resolver side of large ISPs. More details can be found on http://brussels38.icann.org/node/12491 and you can even join in virtually, http://brussels38.icann.org/chat/silverhall Exact agenda is on http://brussels38.icann.org/meetings/brussels2010/agenda-dnssec-workshop-23jun10-en.pdf I'll be around on Tuesday evening and Wednesday. As always, I enjoy meeting PowerDNS users & enthousiasts, so I hope to meet you there! Drop me a note if you want to coordinate. Bert ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] PowerDNSSEC real early version available for testing!
Dear PowerDNS people, On http://wiki.powerdns.com/trac/wiki/PDNSSEC you will find the newest version of PowerDNS with DNSSEC support built in. This version is tentatively called 'PowerDNS Authoritative Server 3.0-pre', to signify its pre-release status, but also to make it clear that DNSSEC will be part of the mainline PowerDNS. The status of PowerDNSSEC is that it is interesting to look at, and functional enough to experiment with. It is not suitable for production, nor is PowerDNSSEC guaranteed to remain compatible with its current configuration form. However, the good news is that signing a DNSSEC zone is now as simple as entering 'pdnssec sign-zone powerdnssec.org'. Any changes to your zone are automatically re-signed, there is no need to do anything by hand. However, please study http://wiki.powerdns.com/trac/wiki/PDNSSEC for cautions on what will work and what does not work right now! Kind regards, Bert Hubert ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users