[Pdns-users] PowerDNSSEC Progress: ready for a first look

bert hubert bert.hubert at netherlabs.nl
Fri Jan 7 10:39:59 UTC 2011

On Fri, Jan 07, 2011 at 11:24:12AM +0100, Leen Besselink wrote:
> A (possibly hidden) supermaster which does all the DNSSEC signing and
> the superslaves which only do
> zone-trasfers and no online DNSSEC-signing but do understand enough of
> the protocol to be able to serve it.

This scenario is supported with the PowerDNS hidden master, but the slaves
will need to be passive in this case. I recommend NSD.

PowerDNS can serve valid signed zones over AXFRs for NSEC and NSEC3
non-narrow zones (ok, for NSEC3 it is broken right now, but that can be

> I ask this because I have a feeling not everyone wants their private key
> material in several physical locations or
> do not yet want to be hindered by the the DNSSEC-performance of the
> current release for their public authoritive
> servers.

This is not the current operational mode of PowerDNSSEC. This may change in
the future. 

> But their is one part I'm missing a way to hook up an EPP-client for
> sending the DS-record to the parent-zone.

This could be added to pdnssec perhaps - is there an EPP spec somewhere? 
'pdnssec push-zone-ds powerdnssec.org epp.sidn.nl' ?

It would probably need authentication tokens too etc.

> Are their to many TLD's that do not have the needed EPP-extensions at
> this time ? Or are their to many different
> authentication scheme's ? Probably worse, I guess for some people they
> have registrars in between. And some
> currently have EPP, but probably not many have DNSSEC yet.

As far as I know, almost nobody has a decent DS submission gateway
standardized right now. But oddly enough, I know very little about registry
operations, so I could very well be wrong.


More information about the Pdns-users mailing list