[Pdns-users] Some initial large scale DNSSEC signing best practices

Aki Tuomi cmouse at youzen.ext.b2.fi
Sun Jul 8 18:21:59 UTC 2012


On Sun, Jul 08, 2012 at 09:08:45PM +0300, Aki Tuomi wrote:
> On Sun, Jul 08, 2012 at 07:03:08PM +0200, Peter van Dijk wrote:
> > Hello Christof,
> > 
> > On Jul 8, 2012, at 17:57 , Christof Meerwald wrote:
> > 
> > > On Sat, 7 Jul 2012 19:36:10 +0200, bert hubert wrote:
> > >> On Fri, Jul 06, 2012 at 11:21:26AM +0200, Peter Gervai wrote:
> > >>> I welcome this message but reminds me of mentioning that if there's a
> > >>> gathered wisdom about common pitfalls and usual possible improvements
> > >>> it may be useful to share these as most of us are not dutch root
> > >>> registrars. ;-)
> > >> Yes - we will share our conclusions. We discovered a few things already:
> > > 
> > > BTW, are there any plans yet when the limitation that only one backend
> > > can be used for DNSSEC will be removed?
> > 
> > 
> > Aki Tuomi recently submitted a patch that presumably removes that limitation - at least for any combination of gsql backends with the bindbackend (as long as bind is the last in the launch line, as far as I can judge. I'm sure he will correct me if I'm wrong). The ticket and patch are at http://wiki.powerdns.com/trac/ticket/513
> > 
> > I have not tried it yet, but it looks good. If you give it a spin, please let us know how it works for you :)
> > 
> > Kind regards,
> > -- 
> > Peter van Dijk
> 
> It should work either way, even if you launch bind first or last. It just 
> corrects a bug in gsql, which does not return false for domains it is not
> authoritative for, thus making Ueberbackend able to ask bind as well. 
> 
> Aki Tuomi

And sadly, now that I look at the bind backend, I see it has the very same
bug as gsql. Luckily there is a patch for this as well.

http://wiki.powerdns.com/trac/ticket/523

I would be most grateful if you could try this out and see if it does wonders
for your problem. 

Kind regards,
Aki Tuomi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20120708/e86dcf78/attachment-0001.sig>


More information about the Pdns-users mailing list