is derived from the SOA records *minimum* field. When using NSEC3, the
TTL of the NSEC3PARAM record is also derived from that field.
+.. _dnssec_presigned_records:
+
Pre-signed records
------------------
In this mode, PowerDNS serves zones that already contain DNSSEC records.
-Such zones can either be slaved from a remote master, or can be signed
-using tools like OpenDNSSEC, ldns-signzone, and dnssec-signzone.
+Such zones can either be slaved from a remote master in online signing
+mode, or can be pre-signed using tools like OpenDNSSEC, ldns-signzone,
+and dnssec-signzone.
Even in this mode, PowerDNS will synthesize NSEC(3) records itself
because of its architecture. RRSIGs of these NSEC(3) will still need to
is considered undesirable. In this case, consider running in pre-signed
mode.
+A slightly more complex approach is running a *hidden* master in simple
+online signing mode, but on a highly secured system unreachable for the
+public. Internet-connected slaves can then transfer the zones pre-signed
+from this master over a secure private network. This topology offers
+substantial security benefits with regards to key material while
+maintaining ease of daily operation by PowerDNS's features in online
+mode.
+
+See also :ref:`dnssec_presigned_records`.
+
Performance
-----------
projects / thirdparty / pdns.git / commitdiff
