[Pdns-users] Some initial large scale DNSSEC signing best practices

bert hubert bert.hubert at netherlabs.nl
Sat Jul 7 18:13:47 UTC 2012 

These best practices can now also be found (& edited) on
http://wiki.powerdns.com/trac/wiki/LargeScaleDNSSECBCP

	Bert

n Sat, Jul 07, 2012 at 07:36:10PM +0200, bert hubert wrote:
> On Fri, Jul 06, 2012 at 11:21:26AM +0200, Peter Gervai wrote:
> > I welcome this message but reminds me of mentioning that if there's a
> > gathered wisdom about common pitfalls and usual possible improvements
> > it may be useful to share these as most of us are not dutch root
> > registrars. ;-)
> 
> Yes - we will share our conclusions. We discovered a few things already:
> 	
>  * Do NOT use PowerDNS 3.0 or 3.0.1 for large scale DNSSEC, it has too many
>    bugs.  The documentation already mentions this, but we will be
>    deprecating DNSSEC in 3.0 officially.
> 
>  * Various DNSSEC caches also cost memory. We encountered a signing master
>    that was swapping all the time. This kills performance dead. Check if
>    your (virtual) server is short on memory before signing.
> 
>  * The static PowerDNS Auth 3.1 packages for 64-bit Debian crash easily on
>    Ubuntu 12.04 LTS.  This can be fixed by compiling yourself, or contact us
>    for an improved binary. The crash is due to a conflict between our static
>    binaries and dynamic gethostbyname NSS calls.
> 
>  * Do not secure zones which you don't run yourself! A common scenario is
>    where you have company.hu still on your servers, and you are still the
>    registrar, but these days company.hu hosts the domain itself on
>    ns1.company.hu and ns2.company.hu
> 
>    If you decide to secure all zones in your database, you WILL create a DS
>    for company.hu and give it to the HU.nic. This will kill the domain, as
>    the folks on ns[12].company.hu will not have signed their zone with your
>    key!
> 
>    This last thing is responsible for the slight dip in the Dutch DNSSEC
>    graph on http://xs.powerdns.com/dnssec-nl-graph/
> 
>  * You seriously need to run 'pdnssec check-all-zones'. If an RR has a
>    one broken record in it, the entire RRSET can not be signed. This leads
>    to pain. In addition, PowerDNS sometimes reacts badly to trying to sign
>    broken records.
> 
>  * Make sure your network is stable. It turns out that various versions of
>    BIND respond to timeouts to your server by declaring it as not supporting
>    EDNS, and thus not DNSSEC.  This in turn will disable your signed
>    domains!
> 
>    ISC is pondering improving the logic of BIND in this respect for DNSSEC
>    signed domains, and we are in productive discussions with them on this
>    subject.
> 
> Please stay tuned for further 'best current practices'.
> 
> 	Bert
> 
> -- 
> PowerDNS Website: http://www.powerdns.com/
> PowerDNS Community Website: http://wiki.powerdns.com/
> PowerDNS is supported and developed by Netherlabs: http://www.netherlabs.nl
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>

More information about the Pdns-users mailing list