[Pdns-users] "fixing" bind backend DNSSEC
Aki Tuomi
cmouse at youzen.ext.b2.fi
Fri Nov 4 11:09:01 UTC 2011
The current bind backend relies on other backends to get it's keying material
for dnssec. While this is a viable option for some, it really isn't the correct
way to do this. If you want to use SQL backend for storing key material, you
can just as well use SQL backend for the zone data as well... It creates (unnecessary) dependency for dnssec backend, which requires that the dnssec backend
builder ignores bind backend when it's being used, which also makes the code
treat bind backend special.
So.
I propose to following fixes:
- Let bind backend handle the key material on it's own. It is not that
difficult to use bind tools to generate they key material to the zones
instead of SQL.
- Decouple bind backend from the dnssec backend.
- Put all the relevant options into the bind backend file
- Including TSIG keys for AXFR
- DNS key material can be fetched from the zone file's configuration
- Allow pdnssec to generate the config snippets required (such as, key
material etc.)
- Patch AXFR process to detect and enable dnssec processing for presigned
zones.
If more information is required, do not hesitate to ask.
Aki Tuomi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20111104/0432086d/attachment.sig>
More information about the Pdns-users
mailing list