[Pdns-dev] implement GSQLBackend::getDirectNSECx

Peter van Dijk peter.van.dijk at powerdns.com
Tue Feb 23 10:49:19 UTC 2016


On 22 Feb 2016, at 12:20, labs at hosting.de wrote:

> > Out of curiosity, why are you signing outside of PowerDNS instead of 
> with PowerDNS itself?
> > ...
> > Second, have you looked at AXFRing the zones in from your signing 
> solution, instead of mangling a presigned zone until PowerDNS likes 
> it?
> > If you let PowerDNS do the AXFR in, all the throwing away of records 
> etc. happens automatically.
> As described, we created a signing server only reachable internally 
> for security reasons. This means all private keys are stored on this 
> system and all signing is done there. Since pdns synthesizes the 
> DNSSEC records it is not possible, besides via AXFR, to export and 
> transfer these records. Therefore we decided to use LDNS for signing.

Understood. Of course AXFR is a fine export method, and the resulting 
file should be similar to your LDNS results.

> > Are you running into problems with the ‘synthesized’ NSEC(3)s?
> Currently we have to create those empty traversals in order to get the 
> correct NSEC records synthesized. Since signing with LDNS already 
> gives us all necessary NSEC records it would be easier to just use 
> those.

Can you clarify what you mean by empty traversals? What is your full 
procedure for serving a lens-signed zone file with PowerDNS today?

Kind regards,
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/

More information about the Pdns-dev mailing list