[Pdns-users] dnssec in pdns-recursor
Augie Schwer
augie.schwer at gmail.com
Wed Mar 7 01:20:25 UTC 2012
On Fri, Mar 2, 2012 at 1:26 AM, bert hubert <bert.hubert at netherlabs.nl> wrote:
> 3.1 auth will come first. So it is no longer true. After 3.1 auth we will do
> 3.4 recursor first, which will not come with DNSSEC yet, but does have
> important improvements.
> DNSSEC will happen after that. Immediately. ;-)
Well here are two future feature request for that DNSSEC enabled pdns-recursor:
* Ability to exclude a particular domain from DNSSEC validation; for
example if a popular site ( say nasa.gov ) updates their keys
incorrectly so that their domain fails validation, you contact their
admins. and with a high level of confidence you determine this is a
configuration mistake and not a security breach, you can then exclude
them from DNSSEC validation so your customers can access their site
while they fix their error.
* Ability to log DNSSEC validation failures in domains, so that you
can proactively be aware of situations like the above scenario.
--
Augie Schwer - Augie at Schwer.us - http://schwer.us
More information about the Pdns-users
mailing list