Removing Dnssec records from slave PDNS servers

classic Classic list List threaded Threaded
5 messages Options
Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Removing Dnssec records from slave PDNS servers

mvdgeijn
Hi,

I was wondering what the best way is to remove Dnssec records from the slave PDNS servers? Our master and slave DNS servers are all PowerDNS servers. They are kept in sync using AXFR and are all on different locations.

At this moment it seems that when I disable Dnssec on the master for a domain, this information is not transferred to the slave DNS servers.

Thanks!
Marc
Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Removing Dnssec records from slave PDNS servers

bert hubert-3
On Wed, Feb 17, 2016 at 03:47:57PM +0000, Marc van de Geijn wrote:
> Unfortunatly, the serial is updated on the master and synced to the slaves, but the slaves keep reporting the NSEC3 & RRSIG records. The master does not report these records when doing a AXFR from the slaves.

Can you show the actual output of 'pdnssec show-zone' on both master and
slave please?

        Bert

>
> Met vriendelijke groet,
>
> Marc van de Geijn
> bHosted.nl
>
> Mail: [hidden email]
> Tel: 020 3118211
> Facebook: https://www.facebook.com/bHosted.nl.Webhosting
> Twitter: https://twitter.com/bhostednl
>
> -----Oorspronkelijk bericht-----
> Van: bert hubert [mailto:[hidden email]]
> Verzonden: woensdag 17 februari 2016 16:41
> Aan: Marc van de Geijn <[hidden email]>
> CC: [hidden email]
> Onderwerp: Re: [Pdns-users] Removing Dnssec records from slave PDNS servers
>
> On Wed, Feb 17, 2016 at 06:27:59AM -0700, mvdgeijn wrote:
> > Hi,
> >
> > I was wondering what the best way is to remove Dnssec records from the
> > slave PDNS servers? Our master and slave DNS servers are all PowerDNS servers.
> > They are kept in sync using AXFR and are all on different locations.
> >
> > At this moment it seems that when I disable Dnssec on the master for a
> > domain, this information is not transferred to the slave DNS servers.
>
> Increase the serial (pdnssec increase-serial is an easy way, or pdnsutil on 4.x).
>
> That should trigger the slave to refetch without the DNSSEC.
>
> Bert
_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Removing Dnssec records from slave PDNS servers

mvdgeijn

Hi Bert,

 

Hierbij de gegevens.

 

On the master:

~# pdnssec show-zone salzvideo.nl

Zone is not actively secured

Zone is not presigned

No keys for zone 'salzvideo.nl'.

 

On one of the slaves:

$ pdnssec show-zone salzvideo.nl

Zone is not presigned

Zone has hashed NSEC3 semantics, configuration: 1 0 1 ab

keys:

ID = 1534 (KSK), tag = 19711, algo = 8, bits = 2048     Active: 1 ( RSASHA256 )

KSK DNSKEY = salzvideo.nl IN DNSKEY 257 3 8 AwEAAY1J6kjWaCIDffTnxLkkJKjmDgy/ulsIbQNuxGvfqjSw9DA5WvCzZFFZPa0SqEoTrO3Mj+/GQ971SsIIWKX/nfTxS1dnT2voFPj9l5GLzdeKq6JK32nbxg9ftaYLzO2Rr10RpgHNjBLztd4ATwYo5lXvWplO/gG4ZmQCBUIE9seTqOLpqiDmH/nUsuWGISj/pBfp6Kz2vTPpDvHifsltNoE+NWbfDe41jIuezoo2pTuhpRag4yqFdpbdcqVlVkn9fzxqIfzlrvaQlTSKBue7r7osAlg2BTmOrLmT2OcDcUX9W+8p2ORputROwYFPzurzqheqWUd2bskanscwj530Dyk= ; ( RSASHA256 )

DS = salzvideo.nl IN DS 19711 8 1 cc126ecef7a0d02393ad706698693fe5edf8f128 ; ( SHA1 digest )

DS = salzvideo.nl IN DS 19711 8 2 2b9b348598238195ad4ee11ab289ed682ebe194197a563b57a955f85e5edc3ad ; ( SHA256 digest )

 

ID = 1535 (ZSK), tag = 29826, algo = 8, bits = 1024     Active: 1 ( RSASHA256 )

ID = 1536 (ZSK), tag = 20593, algo = 8, bits = 1024     Active: 0 ( RSASHA256 )

 

 

Met vriendelijke groet,

 

Marc van de Geijn

bHosted.nl

 

Mail: [hidden email]

Tel: 020 3118211

Facebook: https://www.facebook.com/bHosted.nl.Webhosting

Twitter: https://twitter.com/bhostednl

 

Van: bert hubert-3 [via PowerDNS] [mailto:ml-node+[hidden email]]
Verzonden: woensdag 17 februari 2016 16:22
Aan: Marc van de Geijn <[hidden email]>
Onderwerp: Re: Removing Dnssec records from slave PDNS servers

 

On Wed, Feb 17, 2016 at 03:47:57PM +0000, Marc van de Geijn wrote:
> Unfortunatly, the serial is updated on the master and synced to the slaves, but the slaves keep reporting the NSEC3 & RRSIG records. The master does not report these records when doing a AXFR from the slaves.

Can you show the actual output of 'pdnssec show-zone' on both master and
slave please?

        Bert


>
> Met vriendelijke groet,
>
> Marc van de Geijn
> bHosted.nl
>
> Mail: [hidden email]
> Tel: 020 3118211
> Facebook: https://www.facebook.com/bHosted.nl.Webhosting
> Twitter: https://twitter.com/bhostednl
>
> -----Oorspronkelijk bericht-----
> Van: bert hubert [mailto:[hidden email]]
> Verzonden: woensdag 17 februari 2016 16:41
> Aan: Marc van de Geijn <[hidden email]>
> CC: [hidden email]
> Onderwerp: Re: [Pdns-users] Removing Dnssec records from slave PDNS servers
>
> On Wed, Feb 17, 2016 at 06:27:59AM -0700, mvdgeijn wrote:
> > Hi,
> >
> > I was wondering what the best way is to remove Dnssec records from the
> > slave PDNS servers? Our master and slave DNS servers are all PowerDNS servers.
> > They are kept in sync using AXFR and are all on different locations.
> >
> > At this moment it seems that when I disable Dnssec on the master for a
> > domain, this information is not transferred to the slave DNS servers.
>
> Increase the serial (pdnssec increase-serial is an easy way, or pdnsutil on 4.x).
>
> That should trigger the slave to refetch without the DNSSEC.
>
> Bert

_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users


If you reply to this email, your message will be added to the discussion below:

http://powerdns.13854.n7.nabble.com/Removing-Dnssec-records-from-slave-PDNS-servers-tp12132p12134.html

To unsubscribe from Removing Dnssec records from slave PDNS servers, click here.
NAML

Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Removing Dnssec records from slave PDNS servers

Peter van Dijk
In reply to this post by mvdgeijn
Hello Marc,

On 17 Feb 2016, at 14:27, mvdgeijn wrote:

> I was wondering what the best way is to remove Dnssec records from the
> slave
> PDNS servers? Our master and slave DNS servers are all PowerDNS
> servers.
> They are kept in sync using AXFR and are all on different locations.
>
> At this moment it seems that when I disable Dnssec on the master for a
> domain, this information is not transferred to the slave DNS servers.

Changing DNSSEC settings does not change the serial - so you need to
change it by hand on the master. Then the slave will soon pick up the
changes.

Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/
_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Removing Dnssec records from slave PDNS servers

mvdgeijn
I tried updating the serial, but that did not remove the RRSIG and NSEC records from the slaves. Bert requested some output of a command on the master and a slave. I've sent him that yesterday and I'm waiting for a response from him.
Loading...