[Pdns-users] PowerDNSSEC Progress: ready for a first look
bert hubert
bert.hubert at netherlabs.nl
Fri Jan 7 10:39:59 UTC 2011
On Fri, Jan 07, 2011 at 11:24:12AM +0100, Leen Besselink wrote:
> A (possibly hidden) supermaster which does all the DNSSEC signing and
> the superslaves which only do
> zone-trasfers and no online DNSSEC-signing but do understand enough of
> the protocol to be able to serve it.
This scenario is supported with the PowerDNS hidden master, but the slaves
will need to be passive in this case. I recommend NSD.
PowerDNS can serve valid signed zones over AXFRs for NSEC and NSEC3
non-narrow zones (ok, for NSEC3 it is broken right now, but that can be
fixed).
> I ask this because I have a feeling not everyone wants their private key
> material in several physical locations or
> do not yet want to be hindered by the the DNSSEC-performance of the
> current release for their public authoritive
> servers.
This is not the current operational mode of PowerDNSSEC. This may change in
the future.
> But their is one part I'm missing a way to hook up an EPP-client for
> sending the DS-record to the parent-zone.
This could be added to pdnssec perhaps - is there an EPP spec somewhere?
'pdnssec push-zone-ds powerdnssec.org epp.sidn.nl' ?
It would probably need authentication tokens too etc.
> Are their to many TLD's that do not have the needed EPP-extensions at
> this time ? Or are their to many different
> authentication scheme's ? Probably worse, I guess for some people they
> have registrars in between. And some
> currently have EPP, but probably not many have DNSSEC yet.
As far as I know, almost nobody has a decent DS submission gateway
standardized right now. But oddly enough, I know very little about registry
operations, so I could very well be wrong.
Bert
More information about the Pdns-users
mailing list