[Pdns-dev] Re: [Pdns-users] 2.9.22-rc1 coming up!

Leen Besselink leen at wirehub.nl
Mon Nov 17 09:55:48 CET 2008

On Sun, Nov 16, 2008 at 09:44:52PM +0100, bert hubert wrote:
> Hi everybody,

Hi Bert and others,

>        DNSSEC records were part of 2.9.21, but were not actually
>        hooked up. Please note that while PowerDNS can serve most
>        DNSSEC records, it does not do DNSSEC processing.
>        Implemented in 1046.

I have a question concerning these.

There has been a lot of publications where Bert says something like:

DNSSEC is a lot of effort and very complicated and people are going to
mess it up and thus will cause a lot of interresting problems, probably
more then it solves.

And there are possible better alternatives.

But it now seems it's going to happen anyway, the root will possible get
signed, SIDN (.nl) said will roll it out in 2009. I think .org already has,
.gov is working on it, .de is experimenting.

So just to get an idea about what is up with DNSSEC and PowerDNS, it
can serve them only, right ? If it doesn't do the rest, why is that usefull ?
As a hidden-master ?

I've not read all the RFC's, but the processing you mentioned is for 'things
that do not exist in the zone', right ?

If I remember correctly, you'll have to find the nearest NSEC3-record
(which I think can/should probably be precomputed, 1 record per 'gap').

Which probably sucks for a lot of (for exaple SQL-based) backends for PowerDNS ?

I've been thinking about this and I was thinking, if it should be implemented,
there is probably just one way, that I could think of, that would be a
efficient/good way.

Use super-slaves with bind-backend and support DNSSEC-processing for the
bind-backend that uses a SQL-based hidden suport-master.

Because I presume the bind-backend keeps the zone sorted in memory and
thus knows where the 'gaps' are.

There are probably things I don't know yet, but that's exactly why I'm
sending this e-mail.

Kind regards,
	Leen Besselink.

More information about the Pdns-dev mailing list