Changes between Version 2 and Version 3 of LargeScaleDNSSECBCP
- Timestamp:
- 07/08/12 18:22:37 (11 months ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
LargeScaleDNSSECBCP
v2 v3 65 65 * Backups of your keys. If slaving signed zones, your slaves have a copy of all DNSSEC signatures, but not of the actual keys! So, where slaves used to be 'free backups', this is no longer true for DNSSEC. Unless you replicate the entire database at SQL level. We still recommend backups. 66 66 67 ''maybe the above paragraph should read'': 68 69 > If slaving signed zones via zone transfer (AXFR) , your slaves have a copy of all DNSSEC signatures, but not of the actual keys (because they don't need them). So, where slaves used to be "free backups", this is no longer true for DNSSEC unless you replicate the entire database at SQL level (NATIVE replication). We recommend you backup your keys. 70 67 71 * Key rollovers. PowerDNS automatically renews the RRSIGs (the signatures for your DNS data), so you don't need to do anything. There are documents which tell you to roll your DNS keys frequently, although it is now believed such automatic rolling is not required. In any case, if you are doing a large scale migration, it is advised to initially not roll keys until the dust has settled. 68 72
