[Pdns-users] Standardized DNS Record Types Not Supported by PowerDNS

Nick Williams nicholas at nicholaswilliams.net
Mon Mar 9 03:28:14 UTC 2015

On Mar 8, 2015, at 2:51 PM, Aki Tuomi wrote:

> On Sun, Mar 08, 2015 at 11:34:00AM -0500, Nick Williams wrote:
>> The following are standardized DNS record types[1] that aren't supported by PowerDNS[2]. I was hoping someone could enlighten me as to whether there are specific reasons for not supporting them (as opposed to "nobody has gotten around to doing the work yet," which is of course understandable) and if there are any plans to begin supporting them.
>> These types are:
>> - APL: Specifies list of address ranges typically in CIDR format
>> - CAA: Used for pinning a specific certificate authority for a host
>> - DHCID: DHCP identifier
>> - DNAME: Alias for a name and its subdomains (CNAME is just for exact name)
>> - HIP: Host Identify Protocol
>> - IPSECKEY: Key for IPSec protocol
>> - KX: Key Exchanger Record
>> Thoughts?
> Actually, as per version 3.0 we support KX and IPSECKEY. There are even
> tests for these. Not that anyone really uses these. 
> There has been some previous of discussions about DNAME. 
> http://mailman.powerdns.com/pipermail/pdns-users/2011-September/008251.html
> http://mailman.powerdns.com/pipermail/pdns-users/2008-August/005680.html
> APL is considered experimental (could not find any RFC saying otherwise, 
> there was now-expired RFC draft), so I can't see any justification for this. 
> CAA is probably superceded by TLSA/DANE. Someone correct me if I'm wrong.
> DHCID is not difficult to add, if needed.
> HIP/HIT ditto, it looks like many of the other key storage types. 
> In any case, these are added if someone provides patches, or strong need. 
> Aki

Sounds like the "Supported Record Types" page needs updating to add KX and IPSECKEY.

To bad about DNAME. I'd try to submit a patch but I'm a little too busy with what I'm doing right now to take the time to learn about PDNS's codebase.

TLSA does *not* supersede CAA—they work together. TLSA says "here is the valid public key for this host," and the client can reject any certs created with other public keys. CAA says "here is the valid certificate authority for this host," and the client can reject any certs signed by any other certificate authority. TLSA *does* increase security significantly on its own, but adding CAA makes it even more secure.

I don't have particular needs for APL, DHCID, and HIP—I was just curious about their status in PowerDNS.



More information about the Pdns-users mailing list