[Pdns-users] PowerDNS & DNSSEC!

bert hubert bert.hubert at netherlabs.nl
Wed Jul 15 17:58:25 UTC 2009

Hi everybody,

I've seen the discussion on the list, and I've had more questions
off-list about DNSSEC, DNSCurve and the quality and desirability of
these protocols. In the message below, I want to share some of my
thoughts on this, and then I kindly request everyone to have this
discussion elsewhere. I'll explain.

Briefly - PowerDNS is not and has never been a 'political' project.
While I have personally and for most of a decade have worked hard at
pointing out the problems of DNSSEC on the various IETF lists,
PowerDNS ultimately needs to serve the needs of its users, both
individuals, organizations and corporations.

For better or worse, implementing DNSSEC has become 'mandatory' in
many circles. Not having it on the roadmap has become a liability. It
is also a risk for the individuals that have advocated PowerDNS within
their organizations - they might be accused of having backed the wrong

PowerDNS is technology, and not a political action front.

And because of that, and because the DNSSEC efforts are gathering
pace, we have to make sure that PowerDNS users will not be left out.

I'll be posting more thoughts on http://blog.netherlabs.nl shortly,
but I kindly request people not turn this mailinglist into yet another
discussion about the merits of DNSSEC.


PS: http://www.powerdnssec.org has been updated to reflect new
features of the experimental DNSSEC code. Spread the word!

On Wed, Jul 15, 2009 at 7:27 PM, Leen Besselink<leen at consolejunkie.net> wrote:
> On Thu, Jul 16, 2009 at 03:08:33AM +1000, Duane at e164 dot org wrote:
>> Stephane Bortzmeyer wrote:
> Hi Duane and Stephane,
>> > On Wed, Jul 15, 2009 at 02:59:58AM +1000,
>> >  Duane at e164 dot org <duane at e164.org> wrote
>> >  a message of 62 lines which said:
>> >
>> >> On the other hand do you know of any "exciting" development with DNScurve?
>> >
>> > What's the relationship? DNSSEC secures the data, DNScurve the channel
>> > (like TLS, IPsec, TSIG, etc). So, DNScurve is not a replacement for
>> > DNSSEC, for instance, it does not protect against a rogue resolver (or
>> > secondary name server).
>> DNSSEC doesn't provide privacy, DNScurve is supposed to provide both
>> verifiection and privacy, but since there is no implementation there has
>> been little discussion on it which is unfortunate.
>> Just like there is a lot of reasons for privacy of web sessions the
>> powers that be don't want to offer users the same privacy for their DNS
>> requests.

More information about the Pdns-users mailing list