[Pdns-users] PowerDNSSEC Progress: ready for a first look
bert hubert
bert.hubert at netherlabs.nl
Thu Jan 6 19:00:59 UTC 2011
On Thu, Jan 06, 2011 at 11:55:24AM -0500, Mathew Hennessy wrote:
> Excellent! BTW, can PowerDNSSEC operate in the following way as one would expect:
>
> PowerDNS supermaster which has DNSSEC RRs but doesn't do DNSSEC (aka
> traditional PowerDNS) providing data to PowerDNS slaves. If you use the
> new code with a compatible backend on the slaves (such as gsqlite3), and
> your whois servers only point to those slaves, will it work?
Almost! If you did that up till just now, you would have had to run 'pdnssec
rectify-zone' on your slaves after each AXFR.
However, thank you for raising this idea, this sounds like a very valid use
case.
It has just been implemented in changeset
http://wiki.powerdns.com/trac/changeset/1819
I tested it against an ancient server, and now I have a fully
operational DNSSEC zone!
It works fully automatic on retrieving a zone for which we have local keying
material.
In this way, PowerDNSSEC can now be used to 'dnssec-ify' existing data, a
bit like 'phreebird'. http://freshmeat.net/projects/phreebird
Bert
>
> Thanks,
> = Matt
>
> On Jan 6, 2011, at 10:13, bert hubert wrote:
>
> > Dear PowerDNS Community,
> >
> > With the help of many of you, we've now brought 'PowerDNSSEC' to the point
> > where it might make sense for you to trial it on test domains. We expect to
> > make move some of our own important domains over to PowerDNSSEC early next
> > week. PowerDNS.COM underlies the commercial DNS hosting service 'Express',
> > and may have to wait a bit longer.
> >
> > To test, head over to http://www.powerdnssec.org (which of course is powered
> > by PowerDNSSEC). More information is on
> > http://wiki.powerdns.com/trac/wiki/PDNSSEC - including how to get started,
> > and how to get help.
> >
> > In brief, PowerDNSSEC will allow you to continue operating as normal in many
> > cases, with only slight changes to your installation. There is no need to
> > run signing tools, nor is there a need to rotate keys or run scripts.
> >
> > Particularly, if you run with Generic MySQL, Generic PostgreSQL or Generic
> > SQLite3, you should have an easy time. A small schema update is required,
> > plus an invocation of 'pdnssec secure-zone domain-name && pdnssec
> > rectify-zone domain-name' per domain you want to secure. And that should be
> > it.
> >
> > Supported are:
> > * NSEC
> > * NSEC3 in ordered mode (pre-hashed records)
> > * NSEC3 in narrow mode (unmodified records)
> > * Zone transfers (for NSEC)
> > * Import of 'standard' private keys from BIND/NSD
> > * Export of 'standard' private keys
> > * RSASHA1
> > * "Pure" PostgreSQL, SQLite3 & MySQL operations
> > * Hybrid BIND/PostgreSQL/SQLite3/MySQL operation
> >
> > To join the fun, download the tarball which can be found on the sites above,
> > and let us know how it works for you!
> >
> > To clarify, we do not recommend taking the current code snapshot into
> > production, but we are getting close.
> >
> > Kind regards,
> > Bert
> > _______________________________________________
> > Pdns-users mailing list
> > Pdns-users at mailman.powerdns.com
> > http://mailman.powerdns.com/mailman/listinfo/pdns-users
>
>
More information about the Pdns-users
mailing list