[Pdns-users] Some initial large scale DNSSEC signing best practices

bert hubert bert.hubert at netherlabs.nl
Sat Jul 7 18:13:47 UTC 2012

These best practices can now also be found (& edited) on


n Sat, Jul 07, 2012 at 07:36:10PM +0200, bert hubert wrote:
> On Fri, Jul 06, 2012 at 11:21:26AM +0200, Peter Gervai wrote:
> > I welcome this message but reminds me of mentioning that if there's a
> > gathered wisdom about common pitfalls and usual possible improvements
> > it may be useful to share these as most of us are not dutch root
> > registrars. ;-)
> Yes - we will share our conclusions. We discovered a few things already:
>  * Do NOT use PowerDNS 3.0 or 3.0.1 for large scale DNSSEC, it has too many
>    bugs.  The documentation already mentions this, but we will be
>    deprecating DNSSEC in 3.0 officially.
>  * Various DNSSEC caches also cost memory. We encountered a signing master
>    that was swapping all the time. This kills performance dead. Check if
>    your (virtual) server is short on memory before signing.
>  * The static PowerDNS Auth 3.1 packages for 64-bit Debian crash easily on
>    Ubuntu 12.04 LTS.  This can be fixed by compiling yourself, or contact us
>    for an improved binary. The crash is due to a conflict between our static
>    binaries and dynamic gethostbyname NSS calls.
>  * Do not secure zones which you don't run yourself! A common scenario is
>    where you have company.hu still on your servers, and you are still the
>    registrar, but these days company.hu hosts the domain itself on
>    ns1.company.hu and ns2.company.hu
>    If you decide to secure all zones in your database, you WILL create a DS
>    for company.hu and give it to the HU.nic. This will kill the domain, as
>    the folks on ns[12].company.hu will not have signed their zone with your
>    key!
>    This last thing is responsible for the slight dip in the Dutch DNSSEC
>    graph on http://xs.powerdns.com/dnssec-nl-graph/
>  * You seriously need to run 'pdnssec check-all-zones'. If an RR has a
>    one broken record in it, the entire RRSET can not be signed. This leads
>    to pain. In addition, PowerDNS sometimes reacts badly to trying to sign
>    broken records.
>  * Make sure your network is stable. It turns out that various versions of
>    BIND respond to timeouts to your server by declaring it as not supporting
>    EDNS, and thus not DNSSEC.  This in turn will disable your signed
>    domains!
>    ISC is pondering improving the logic of BIND in this respect for DNSSEC
>    signed domains, and we are in productive discussions with them on this
>    subject.
> Please stay tuned for further 'best current practices'.
> 	Bert
> -- 
> PowerDNS Website: http://www.powerdns.com/
> PowerDNS Community Website: http://wiki.powerdns.com/
> PowerDNS is supported and developed by Netherlabs: http://www.netherlabs.nl
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users

More information about the Pdns-users mailing list