[Pdns-users] Statement on EDNS, DNSSEC and PowerDNS.
bert.hubert at netherlabs.nl
Fri Mar 19 12:50:42 UTC 2010
Just to clarify, EDNS for DNSSEC is only a requirement for:
1) high performance DNSSEC operation, or
2) DNSSEC operation in case TCP/IP is not available.
In an understandable effort to "make the world safe for DNSSEC", BIND has
been sending DNSSEC-enabled questions *by default* for a long time now
The upshot of this default BIND DNSSEC behaviour is that any BIND user that
cannot do EDNS will pretty soon have to fall back to TCP/IP a lot. And since
TCP/IP is not always available for DNS, a significant percentage of BIND
users may "go dark" if they can't do EDNS once the root is signed with
However, since PowerDNS does not ask DNSSEC questions by default, this
situation does not apply to PowerDNS users.
More specifically, if you run the suggested tests that can help you
determine if you "will have problems with the signed root" the results do
NOT apply to PowerDNS, but only to BIND (and probably Unbound).
On Fri, Mar 19, 2010 at 08:13:42AM -0400, Curtis Maurand wrote:
> Its my understanding that EDNS is going to be required to exchange
> keys properly for DNSSEC. Am I wrong? Is EDNS going to be a
> requirement in the future?
> Thanks in advance,
> On 3/18/2010 8:40 PM, Michael Fincham wrote:
> >Hi Bert,
> >Thanks for the expedient and comprehensive reply.
> >On Thu, 2010-03-18 at 06:45 +0100, bert hubert wrote:
> >>The 'nothing but trouble' refers to the surprisingly large number of servers
> >>that when queried with EDNS on, either provide no answer, return a SERVFAIL
> >>or a malformed answer.
> >As it turns out, my testing has shown that at least one important
> >NZ-based government website falls in to this category :(
> >>I hope the above answers your questions.
> >Sure did, cheers.
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
More information about the Pdns-users