1

I'm trying to understand if PowerDNS slaves can update records even if the serial number in the SOA for the zone does not change. The scenario I have in mind is the following:

There is one master server which does live signing for DNSSEC. Background is that I want to be able to deliver current signed records by only changing the database. When the SOA serial in the database changes, the slaves get notified and retrieve the new (and signed) data automatically.

However, according to the documentation the RRSIG records have a validity of between one or two weeks. Would the slaves pick up new RRSIG records automatically even if the SOA is not changed?

DerAndy
  • 13
  • 3
  • I'm curious why you do not want to update the serial number? – Jacob Evans Jan 21 '17 at 02:27
  • I don't have anything against updating the number, it just doesn't feel natural somehow to do that other than when I change the zone data. Would you recommend to just go in and update the serial for all zones once a week? – DerAndy Jan 21 '17 at 02:37
  • see the documentation, they have this specific example – Jacob Evans Jan 21 '17 at 02:40

1 Answers1

3

Yes, if you replicate the records via the database and all other servers are also PowerDNS (see note about DNSSEC and non-powerdns replicas, such as bind slaves)

Warning: If you have DNSSEC-signed zones and non-PowerDNS slaves, please check your SOA-EDIT settings

.

https://doc.powerdns.com/md/authoritative/modes-of-operation/

note, this is also how bind with ldap backends work (my experiance with FreeIPA and DNSSEC)

Jacob Evans
  • 7,886
  • 3
  • 29
  • 57
  • Unfortunately I can't use database replication for my scenario, because some of the DNS servers are not "trusted" so I may not transfer the keys to them. :( – DerAndy Jan 21 '17 at 02:33
  • that is unfortunate, do you require DANE,TLSA, SSHFP, or some other records requiring signed zones? – Jacob Evans Jan 21 '17 at 02:36
  • 1
    Implementing DNSSEC is the first step, but DANE will be a requirement soon, yes. I haven't investigated the details for this, so far. – DerAndy Jan 21 '17 at 02:42
  • Thank you for pointing me in the right direction. I was missing this because I was reading the version 3 documentation, which seems to be missing that section. I'll have to test if it works the same way in version 3 (which is the version delivered with debian jessie) or if I need to upgrade. – DerAndy Jan 21 '17 at 02:58
  • 1
    @DerAndy You may also want to consider using the current version from https://repo.powerdns.com/ – Håkan Lindqvist Jan 21 '17 at 10:17
  • I will if it doesn't work with my version, but I prefer to use what's in the distro if possible. :) – DerAndy Jan 21 '17 at 15:39
  • eh, I would disagree with you there...Debian isn't great at repackaging software.....see nginx – Jacob Evans Jan 21 '17 at 15:41
  • https://legalhackers.com/videos/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html – Jacob Evans Jan 21 '17 at 15:42