From: Bert Hubert Date: Wed, 19 Jan 2011 19:15:49 +0000 (+0000) Subject: sync the docs with pre-signing mode X-Git-Tag: auth-3.0~350 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=505fb48932cf5918dce5a9b229cbfb1f53b5c914;p=pdns sync the docs with pre-signing mode git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@1897 d19b8d6e-7fed-0310-83ef-9ca221ded41b --- diff --git a/pdns/docs/pdns.xml b/pdns/docs/pdns.xml index 939537ee0..0a2bf8e31 100644 --- a/pdns/docs/pdns.xml +++ b/pdns/docs/pdns.xml @@ -9098,10 +9098,13 @@ $ pdnssec rectify-zone Particularly, if a PowerDNSSEC secured zone is transfered via AXFR, it should be able to contain the same records as when that zone was signed using 'ldns-signzone' using the same keys and settings. + + PowerDNS supports serving pre-signed zones, as well as online ('live') signed operations. In the last case, Signature Rollover + and Key Maintenance are fully managed by PowerDNS. + In addition to the above, PowerDNSSEC also supports modes of operation which may not have an equivalent in other - pieces of software, for example NSEC3-narrow mode. In such cases we strive for implementing the relevant standards - well. + pieces of software, for example NSEC3-narrow mode. PowerDNSSEC supports: @@ -9190,7 +9193,16 @@ $ pdnssec rectify-zone
From existing non-DNSSEC non-PowerDNS setups TBD
-
From existing DNSSEC non-PowerDNS setups +
From existing DNSSEC non-PowerDNS setups, pre-signed + + Industry standard signed zones can be served natively by PowerDNS, without changes. In such cases, signing + happens externally to PowerDNS, possibly via OpenDNSSEC, ldns-sign or dnssec-sign. + + + PowerDNS needs to know if a zone should receive DNSSEC processing. To configure, run 'pdnssec set-presigned zone'. + +
+
From existing DNSSEC non-PowerDNS setups, live signing The 'pdnssec' tool features the option to import zone keys in the industry standard private key format, version 1.2. To import an existing KSK, use 'pdnssec import-zone-key zonename filename KSK', replace KSK @@ -9205,9 +9217,9 @@ $ pdnssec rectify-zone
- Records, Keys, signatures, hashes within PowerDNSSEC + Records, Keys, signatures, hashes within PowerDNSSEC in online signing mode - Within PowerDNSSEC, keys are stored separately from the zone records. Zone data are only + Within PowerDNSSEC live signing, keys are stored separately from the zone records. Zone data are only combined with signatures and keys when requests come in over the internet. @@ -9254,7 +9266,7 @@ $ pdnssec rectify-zone
Signatures - In PowerDNS, signatures, as served through RRSIG records, are calculated on the fly, and heavily cached. All CPU cores + In PowerDNS live signing mode, signatures, as served through RRSIG records, are calculated on the fly, and heavily cached. All CPU cores are used for the calculation. @@ -9457,9 +9469,7 @@ $ pdnssec rectify-zone
NSEC(3) change .. pdnssec show-zone ZONE and communicatate duplicate DS .. - .. pdnssec activate-zone-key ZONE next-key-id .. - .. pdnssec deactivate-zone-key ZONE prev-key-id .. - .. pdnssec remove-zone-key ZONE prev-key-id .. + .. pdnssec set-nsec3 'parameters' ZONE
@@ -9482,6 +9492,12 @@ $ pdnssec rectify-zone Such a single replicated database requires no further attention beyond monitoring already required during non-DNSSEC operations. +
PowerDNSSEC Pre-signed records + + In this mode, PowerDNS serves zones that already contain DNSSEC records. Such zones can either be slaved from + a remote master, or can be signed using tools like OpenDNSSEC, ldns-signzone or dnssec-signzone. + +
PowerDNSSEC Front-signing As a special feature, PowerDNSSEC can operate as a signing server which operates as a slave @@ -9555,7 +9571,8 @@ $ pdnssec rectify-zone to operating an HTTPS server, where the certificate is available on the webserver for cryptographic purposes. - In some settings, having such (private) keying material available online is considered undesireable. + In some settings, having such (private) keying material available online is considered undesireable. In this case, + consider running in pre-signed mode.
Performance