Introduction
There may be times when you may wish to manually synchronize the DNSSEC keys across a DNS cluster. This article explains how to do that.
Procedure
Use the /scripts/dnssec-cluster-keys script to synchronize the keys. Here is the script's help menu:
[root@server]# /scripts/dnssec-cluster-keys --help
NAME
dnssec-cluster-keys
SYNOPSIS
dnssec-cluster-keys [--sync|--revoke] [--zone=] [--tag=] {--nolocal} {--rebuild-cache}
Options:
--sync Action to sync keys to the cluster.
--revoke Action to revoke keys from the cluster.
--zone Required. The zone to take action on.
--tag Required for revoke. Optional for sync.
If not defined during a sync, all active keys will be used
Multiple tags can be defined.
--nolocal Optional. Do not perform the action on the local server.
Useful for testing.
--rebuild-cache Rebuild the local cache of domains with DNSSEC enabled.
Examples:
Sync all currently active DNSSEC keys:
./dnssec-cluster-keys --sync --zone=example.zone
Sync only specific DNSSEC keys. If any of the keys are disabled locally, they will be enabled.
./dnssec-cluster-keys --sync --zone=example.zone --tag=46547 --tag=31016 --tag=44233
Revoke specific DNSSEC keys from the cluster. WARNING: This will delete the keys locally also.
./dnssec-cluster-keys --revoke --zone=example.zone --tag=46547 --tag=31016 --tag=44233
Revoke a DNSSEC key from the cluster, but keep the local copy.
./dnssec-cluster-keys --revoke --zone=example.zone --tag=12345 --nolocal
DESCRIPTION
This script is used to manage DNSSEC keys in a cPanel cluster. You must be
using PowerDNS as a nameserver, cPanel DNS clustering must be enabled, and
have root privileges. This script provides two actions, sync and revoke.
Comments
0 comments
Article is closed for comments.