[Pdns-users] Some initial large scale DNSSEC signing best practices

Aki Tuomi cmouse at youzen.ext.b2.fi
Sun Jul 8 18:08:45 UTC 2012

On Sun, Jul 08, 2012 at 07:03:08PM +0200, Peter van Dijk wrote:
> Hello Christof,
> On Jul 8, 2012, at 17:57 , Christof Meerwald wrote:
> > On Sat, 7 Jul 2012 19:36:10 +0200, bert hubert wrote:
> >> On Fri, Jul 06, 2012 at 11:21:26AM +0200, Peter Gervai wrote:
> >>> I welcome this message but reminds me of mentioning that if there's a
> >>> gathered wisdom about common pitfalls and usual possible improvements
> >>> it may be useful to share these as most of us are not dutch root
> >>> registrars. ;-)
> >> Yes - we will share our conclusions. We discovered a few things already:
> > 
> > BTW, are there any plans yet when the limitation that only one backend
> > can be used for DNSSEC will be removed?
> Aki Tuomi recently submitted a patch that presumably removes that limitation - at least for any combination of gsql backends with the bindbackend (as long as bind is the last in the launch line, as far as I can judge. I'm sure he will correct me if I'm wrong). The ticket and patch are at http://wiki.powerdns.com/trac/ticket/513
> I have not tried it yet, but it looks good. If you give it a spin, please let us know how it works for you :)
> Kind regards,
> -- 
> Peter van Dijk

It should work either way, even if you launch bind first or last. It just 
corrects a bug in gsql, which does not return false for domains it is not
authoritative for, thus making Ueberbackend able to ask bind as well. 

Aki Tuomi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20120708/ef0f9903/attachment-0001.sig>

More information about the Pdns-users mailing list