[Pdns-users] "fixing" bind backend DNSSEC

Aki Tuomi cmouse at youzen.ext.b2.fi
Fri Nov 4 11:09:01 UTC 2011


The current bind backend relies on other backends to get it's keying material
for dnssec. While this is a viable option for some, it really isn't the correct
way to do this. If you want to use SQL backend for storing key material, you 
can just as well use SQL backend for the zone data as well... It creates (unnecessary) dependency for dnssec backend, which requires that the dnssec backend 
builder ignores bind backend when it's being used, which also makes the code
treat bind backend special. 

So.

I propose to following fixes:

  - Let bind backend handle the key material on it's own. It is not that 
    difficult to use bind tools to generate they key material to the zones
    instead of SQL. 

  - Decouple bind backend from the dnssec backend.

  - Put all the relevant options into the bind backend file 
    - Including TSIG keys for AXFR

  - DNS key material can be fetched from the zone file's configuration 
   
  - Allow pdnssec to generate the config snippets required (such as, key 
    material etc.)
  
  - Patch AXFR process to detect and enable dnssec processing for presigned
    zones. 

If more information is required, do not hesitate to ask. 

Aki Tuomi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20111104/0432086d/attachment.sig>


More information about the Pdns-users mailing list