37 lines
1.2 KiB
Markdown
37 lines
1.2 KiB
Markdown
# DNSSEC fix
|
|
|
|
Check if the DNSKEY for given domains is the same for the primary and
|
|
the secondary DNS server, if not, push by updating the SOA record of
|
|
that zone with the current date and a running number.
|
|
|
|
## Prerequisites
|
|
|
|
- PowerDNS authoritative server
|
|
- MySQL/MariaDB backend, and your ability to give the dnssec-fix script access
|
|
- uv (fantastic package manager for Python)
|
|
|
|
## Security
|
|
|
|
The script needs the ability to reach all the nameservers mentioned in the config,
|
|
and has to have an account on the MySQL/MariaDB server that has the SELECT and
|
|
UPDATE privileges for the records table in the PowerDNS database.
|
|
|
|
## Future ideas
|
|
|
|
Or ideas for the future...
|
|
|
|
- convert to Django for more features:
|
|
- better logging
|
|
- delayed action (only publish new SOA records after three mis-lookups in a row)
|
|
- better configurability
|
|
- more detailed error handling, recognize timeouts and don't react to them as if
|
|
the script got "wrong" data
|
|
- get the list of nameservers from DNS instead of a config file (more correct for
|
|
zones with varying nameserver configurations)
|
|
|
|
## License
|
|
|
|
This isn't a big script. It isn't a complicated script either. Actually it's more
|
|
of a hack. So I license this code with the 3-clause BSD license.
|
|
|
|
Michael Hinz - 2026-02-12
|