[Pdns-dev] implement GSQLBackend::getDirectNSECx
Peter van Dijk
peter.van.dijk at powerdns.com
Tue Feb 23 10:49:19 UTC 2016
Hello,
On 22 Feb 2016, at 12:20, labs at hosting.de wrote:
> > Out of curiosity, why are you signing outside of PowerDNS instead of
> with PowerDNS itself?
> > ...
> > Second, have you looked at AXFRing the zones in from your signing
> solution, instead of mangling a presigned zone until PowerDNS likes
> it?
> > If you let PowerDNS do the AXFR in, all the throwing away of records
> etc. happens automatically.
>
> As described, we created a signing server only reachable internally
> for security reasons. This means all private keys are stored on this
> system and all signing is done there. Since pdns synthesizes the
> DNSSEC records it is not possible, besides via AXFR, to export and
> transfer these records. Therefore we decided to use LDNS for signing.
Understood. Of course AXFR is a fine export method, and the resulting
file should be similar to your LDNS results.
> > Are you running into problems with the ‘synthesized’ NSEC(3)s?
>
> Currently we have to create those empty traversals in order to get the
> correct NSEC records synthesized. Since signing with LDNS already
> gives us all necessary NSEC records it would be easier to just use
> those.
Can you clarify what you mean by empty traversals? What is your full
procedure for serving a lens-signed zone file with PowerDNS today?
Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/
More information about the Pdns-dev
mailing list