3. Migration

3.1. From an existing PowerDNS installation
3.2. From existing non-DNSSEC non-PowerDNS setups
3.3. From existing DNSSEC non-PowerDNS setups, pre-signed
3.4. From existing DNSSEC non-PowerDNS setups, live signing

This chapter discusses various migration strategies, from existing PowerDNS setups, from existing unsigned installations and finally from previous non-PowerDNS DNSSEC deployments.

3.1. From an existing PowerDNS installation

To migrate an existing database-backed PowerDNS installation, a few changes must be made to the database schema. First, the records table gains two new fields: 'auth' and 'ordername'. Some data in a zone, like glue records, should not be signed, and this is signified by setting 'auth' to 0.

[Warning]Warning

Once the database schema has been updated, and the relevant 'gsql-dnssec' switch has been set, stricter rules apply for filling out the database! The short version is: run pdnssec rectify-zone on all zones, even those not secured with DNSSEC!

Additionally, NSEC and NSEC3 in non-narrow mode require ordering data in order to perform (hashed) denial of existence. The 'ordername' field is used for this purpose.

Finally, two new tables are needed. DNSSEC keying material is stored in the 'cryptokeys' table (in a portable standard format). Domain metadata is stored in the 'domainmetadata' table. This includes NSEC3 settings.

Once the database schema has been changed for DNSSEC usage (see the relevant backend chapters or the PowerDNSSEC wiki for the update statements), the 'pdnssec' tool can be used to fill out keying details, and 'rectify' the auth and ordername fields.

In short, 'pdnssec secure-zone powerdnssec.org ; pdnssec rectify-zone powerdnssec.org' will deliver a correctly NSEC signed zone.

In addition, so will the 'zone2sql' import tool when run with the '--dnssec' flag.

3.2. From existing non-DNSSEC non-PowerDNS setups

TBD

3.3. From existing DNSSEC non-PowerDNS setups, pre-signed

Industry standard signed zones can be served natively by PowerDNS, without changes. In such cases, signing happens externally to PowerDNS, possibly via OpenDNSSEC, ldns-sign or dnssec-sign.

PowerDNS needs to know if a zone should receive DNSSEC processing. To configure, run 'pdnssec set-presigned zone'.

[Warning]Warning

Right now, you will also need to configure NSEC(3) settings for pre-signed zones using 'pdnssec set-nsec3'. Default is NSEC, in which case no further configuration is necessary.

3.4. From existing DNSSEC non-PowerDNS setups, live signing

The 'pdnssec' tool features the option to import zone keys in the industry standard private key format, version 1.2. To import an existing KSK, use 'pdnssec import-zone-key zonename filename KSK', replace KSK by ZSK for a Zone Signing Key.

If all keys are imported using this tool, a zone will serve mostly identical records to before, with the important change that the RRSIG inception dates will be different.

[Note]Note

Within PowerDNS, the 'algorithm' for RSASHA1 keys is modulated based on the NSEC3 setting. So if an algorithm=7 key is imported in a zone with no configured NSEC3, it will appear as algorithm 5!