DNSSEC support in PowerDNS plugin
Continuing from #4613 (closed), we have successfully extended the PowerDNS plugin to provide DNSSEC support. The dnssec_info box shows the DS keys (and KSK, which is required for .nl). In our efforts we have tried to match the behaviour for the BIND plugin as much as possible, to keep things consistent. There is just one final question to solve before we open the pull request.
In the BIND plugin, if you uncheck the Sign zone (DNSSEC)
checkbox, the key files are not deleted. Only the .signed
file is deleted. If you re-enable the checkbox again, the existing keys will be used. This is also denoted by the text at the checkbox, stating:
(When disabling DNSSEC keys are not going to be deleted if DNSSEC was enabled before and keys already have been generated but the zone will no longer be delievered in signed format afterwards.)
Unfortunately this behaviour is problematic to implement with PowerDNS, because when you run pdnssec disable-dnssec
it actually deletes the keys too. So if you re-enable it afterwards, you will have new keys and your dnssec configuration will be invalid.
There are several options we can think of:
a. Export the key to text files when disabling, and import them when re-enabling
b. De-activate the keys instead of running disable-dnssec
- but this is problematic if you have any inactive keys for rotation. So in this case we would also somehow need to remember the key ID's which we de-activated, so we know which ones to re-activate
c. Change the text message to a warning that existing keys will be deleted if you are using PowerDNS. This is the simplest and most concise solution, because it matches how PowerDNS works. But I don't know if this is possible to do, since the template is the same for both BIND and PowerDNS. So we would somehow need to know in the dns_soa_edit.htm
template, what kind of DNS server we are operating on.
So in short the question is: how do you guys think we should deal with this 'disable' checkbox? What is the expected behaviour, and how important is it for the project to keep behaviour here the same for BIND and PowerDNS? We have a preference for option C. Do you guys agree, or do you see other possibilities?
Thank you in advance.
Edit: one more option comes to mind... how about a confirmation dialog when disabling DNSSEC, warning you that you must remove DS records first (and wait for caching DNS servers to forget those too)?