<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>3. Migration</title><link rel="stylesheet" href="docbook.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /><link rel="home" href="index.html" title="PowerDNS manual" /><link rel="up" href="powerdnssec-auth.html" title="Chapter 12. Serving authoritative DNSSEC data" /><link rel="prev" href="dnssec-supported.html" title="2. Profile, Supported Algorithms, Record Types & Modes of operation" /><link rel="next" href="powerdnssec.html" title="4. Records, Keys, signatures, hashes within PowerDNSSEC in online signing mode" /></head><body><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">3. Migration</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="dnssec-supported.html">Prev</a> </td><th width="60%" align="center">Chapter 12. Serving authoritative DNSSEC data</th><td width="20%" align="right"> <a accesskey="n" href="powerdnssec.html">Next</a></td></tr></table><hr /></div><div class="section" title="3. Migration"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="dnssec-migration"></a>3. Migration</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="dnssec-migration.html#powerdnssec-migration">3.1. From an existing PowerDNS installation</a></span></dt><dt><span class="section"><a href="dnssec-migration.html#dnssec-bind-migration">3.2. From existing non-DNSSEC non-PowerDNS setups</a></span></dt><dt><span class="section"><a href="dnssec-migration.html#dnssec-dnssec-migration-presigned">3.3. From existing DNSSEC non-PowerDNS setups, pre-signed</a></span></dt><dt><span class="section"><a href="dnssec-migration.html#dnssec-dnssec-migration-live">3.4. From existing DNSSEC non-PowerDNS setups, live signing</a></span></dt></dl></div><p>
This chapter discusses various migration strategies, from existing PowerDNS setups, from existing unsigned installations
and finally from previous non-PowerDNS DNSSEC deployments.
</p><div class="section" title="3.1. From an existing PowerDNS installation"><div class="titlepage"><div><div><h3 class="title"><a id="powerdnssec-migration"></a>3.1. From an existing PowerDNS installation</h3></div></div></div><p>
To migrate an existing database-backed PowerDNS installation, a few changes must be made to the database schema.
First, the records table gains two new fields: 'auth' and 'ordername'. Some data in a zone, like glue records, should
not be signed, and this is signified by setting 'auth' to 0.
</p><p>
</p><div class="warning" title="Warning" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Warning"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Warning]" src="warning.png" /></td><th align="left">Warning</th></tr><tr><td align="left" valign="top"><p>Once the database schema has been updated, and the relevant 'gsql-dnssec' switch has been set, stricter
rules apply for filling out the database! The short version is: run pdnssec rectify-zone on all zones, even
those not secured with DNSSEC!</p></td></tr></table></div><p>
</p><p>
Additionally, NSEC and NSEC3 in non-narrow mode require ordering data in order to perform (hashed) denial of existence. The 'ordername'
field is used for this purpose.
</p><p>
Finally, two new tables are needed. DNSSEC keying material is stored in the 'cryptokeys' table (in a portable standard format).
Domain metadata is stored in the 'domainmetadata' table. This includes NSEC3 settings.
</p><p>
Once the database schema has been changed for DNSSEC usage (see the relevant backend chapters or <a class="ulink" href="http://wiki.powerdns.com/trac/wiki/PDNSSEC" target="_top">the PowerDNSSEC wiki</a> for the update statements), the 'pdnssec'
tool can be used to fill out keying details, and 'rectify' the auth and ordername fields.
</p><p>
In short, 'pdnssec secure-zone powerdnssec.org ; pdnssec rectify-zone powerdnssec.org' will deliver a correctly NSEC signed zone.
</p><p>
In addition, so will the 'zone2sql' import tool when run with the '--dnssec' flag.
</p></div><div class="section" title="3.2. From existing non-DNSSEC non-PowerDNS setups"><div class="titlepage"><div><div><h3 class="title"><a id="dnssec-bind-migration"></a>3.2. From existing non-DNSSEC non-PowerDNS setups</h3></div></div></div><p>TBD</p></div><div class="section" title="3.3. From existing DNSSEC non-PowerDNS setups, pre-signed"><div class="titlepage"><div><div><h3 class="title"><a id="dnssec-dnssec-migration-presigned"></a>3.3. From existing DNSSEC non-PowerDNS setups, pre-signed</h3></div></div></div><p>
Industry standard signed zones can be served natively by PowerDNS, without changes. In such cases, signing
happens externally to PowerDNS, possibly via OpenDNSSEC, ldns-sign or dnssec-sign.
</p><p>
PowerDNS needs to know if a zone should receive DNSSEC processing. To configure, run 'pdnssec set-presigned zone'.
</p><div class="warning" title="Warning" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Warning"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Warning]" src="warning.png" /></td><th align="left">Warning</th></tr><tr><td align="left" valign="top"><p>Right now, you will also need to configure NSEC(3) settings for pre-signed zones using 'pdnssec set-nsec3'. Default
is NSEC, in which case no further configuration is necessary.</p></td></tr></table></div></div><div class="section" title="3.4. From existing DNSSEC non-PowerDNS setups, live signing"><div class="titlepage"><div><div><h3 class="title"><a id="dnssec-dnssec-migration-live"></a>3.4. From existing DNSSEC non-PowerDNS setups, live signing</h3></div></div></div><p>
The 'pdnssec' tool features the option to import zone keys in the industry standard private key format,
version 1.2. To import an existing KSK, use 'pdnssec import-zone-key zonename filename KSK', replace KSK
by ZSK for a Zone Signing Key.
</p><p>
If all keys are imported using this tool, a zone will serve mostly identical records to before, with
the important change that the RRSIG inception dates will be different.
</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="note.png" /></td><th align="left">Note</th></tr><tr><td align="left" valign="top"><p>Within PowerDNS, the 'algorithm' for RSASHA1 keys is modulated based on the NSEC3 setting. So
if an algorithm=7 key is imported in a zone with no configured NSEC3, it will appear as algorithm 5!</p></td></tr></table></div></div></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="dnssec-supported.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="powerdnssec-auth.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="powerdnssec.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">2. Profile, Supported Algorithms, Record Types & Modes of operation </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> 4. Records, Keys, signatures, hashes within PowerDNSSEC in online signing mode</td></tr></table></div></body></html>
