[Pdns-users] Some initial large scale DNSSEC signing best practices

bert hubert bert.hubert at netherlabs.nl
Sat Jul 7 17:36:10 UTC 2012

On Fri, Jul 06, 2012 at 11:21:26AM +0200, Peter Gervai wrote:
> I welcome this message but reminds me of mentioning that if there's a
> gathered wisdom about common pitfalls and usual possible improvements
> it may be useful to share these as most of us are not dutch root
> registrars. ;-)

Yes - we will share our conclusions. We discovered a few things already:
 * Do NOT use PowerDNS 3.0 or 3.0.1 for large scale DNSSEC, it has too many
   bugs.  The documentation already mentions this, but we will be
   deprecating DNSSEC in 3.0 officially.

 * Various DNSSEC caches also cost memory. We encountered a signing master
   that was swapping all the time. This kills performance dead. Check if
   your (virtual) server is short on memory before signing.

 * The static PowerDNS Auth 3.1 packages for 64-bit Debian crash easily on
   Ubuntu 12.04 LTS.  This can be fixed by compiling yourself, or contact us
   for an improved binary. The crash is due to a conflict between our static
   binaries and dynamic gethostbyname NSS calls.

 * Do not secure zones which you don't run yourself! A common scenario is
   where you have company.hu still on your servers, and you are still the
   registrar, but these days company.hu hosts the domain itself on
   ns1.company.hu and ns2.company.hu

   If you decide to secure all zones in your database, you WILL create a DS
   for company.hu and give it to the HU.nic. This will kill the domain, as
   the folks on ns[12].company.hu will not have signed their zone with your

   This last thing is responsible for the slight dip in the Dutch DNSSEC
   graph on http://xs.powerdns.com/dnssec-nl-graph/

 * You seriously need to run 'pdnssec check-all-zones'. If an RR has a
   one broken record in it, the entire RRSET can not be signed. This leads
   to pain. In addition, PowerDNS sometimes reacts badly to trying to sign
   broken records.

 * Make sure your network is stable. It turns out that various versions of
   BIND respond to timeouts to your server by declaring it as not supporting
   EDNS, and thus not DNSSEC.  This in turn will disable your signed

   ISC is pondering improving the logic of BIND in this respect for DNSSEC
   signed domains, and we are in productive discussions with them on this

Please stay tuned for further 'best current practices'.


PowerDNS Website: http://www.powerdns.com/
PowerDNS Community Website: http://wiki.powerdns.com/
PowerDNS is supported and developed by Netherlabs: http://www.netherlabs.nl

More information about the Pdns-users mailing list