[Pdns-users] Standardized DNS Record Types Not Supported by PowerDNS
nicholas at nicholaswilliams.net
Mon Mar 9 17:00:52 UTC 2015
On Mar 9, 2015, at 2:42 AM, bert hubert wrote:
>> Sounds like the "Supported Record Types" page needs updating to add KX and IPSECKEY.
> Patches are welcome. It is very easy to update our Markdown documentation these days. https://github.com/PowerDNS/pdns/blob/master/docs/markdown/types.md and press the edit (pencil) icon.
>> To bad about DNAME. I'd try to submit a patch but I'm a little too busy with what I'm doing right now to take the time to learn about PDNS's codebase.
> DNAME is actually available, "experimental-dname-processing” makes that happen.
Interesting. Thanks for pointing that out to me. However, it says not to combine with DNSSEC in bold letters with an exclamation mark, so that means I can't use it.
Out of curiosity, 1) Why can't it be combined with DNSSEC? Is it just not complete yet, and DNAME+DNSSEC support is coming later? Or is it something else? 2) Why does this approximately double query load?
>> TLSA does *not* supersede CAA—they work together. TLSA says "here is the valid public key for this host," and the client can reject any certs created with other public keys. CAA says "here is the valid certificate authority for this host," and the client can reject any certs signed by any other certificate authority. TLSA *does* increase security significantly on its own, but adding CAA makes it even more secure.
> I you have a CAA record and can point to a client that verifies it, we could look into it. It is very hard to implement things where we have to hunt for a client first.
Indeed, you're right. I can't find any clients that support CAA. For that matter, it appears that none of the browsers support TLSA/DANE, either. That's a bummer. I was looking forward to rolling that out, but it won't really make a difference.
More information about the Pdns-users