BIND 9.7.1 + DLZ + DNSSEC: Possible?

Kevin Mai kma at
Tue Sep 14 19:46:42 UTC 2010

We have an average of around 11 QPS but we update zones daily (our servers store NS delegations mostly and government sites) so it's a daily task to approve new domains and update/reload zones. 

We have a good DB infrastructure built in and the fact of having a MySQL server that can replicate is a good reason to have DLZ as the backend. 

The other issue we face is signing the zone files, as we are looking forward to harden security and sign the .ar ccTLD and the other TLDs (,,,, etc). We can sign zone files, but how do we sign database entries? 

De: "Scott Haneda" <talklists at> 
Para: "Kevin Mai" <kma at> 
CC: bind-users at 
Enviados: Martes, 14 de Septiembre 2010 16:40:05 
Asunto: Re: BIND 9.7.1 + DLZ + DNSSEC: Possible? 

On Sep 14, 2010, at 12:15 PM, Kevin Mai < kma at > wrote: 

My name is Kevin and I'm working with the Argentina ccTLD team to upgrade our local NS systems and our goal is to load the .ar, and subsequent zones using DLZ. Our other task was to deploy DNSSEC here and start signing our TLDs, but according to the e-mails I've read (dated 2006 mostly) it's not very clear if it's already been possible (it's been 4 years since those e-mails were written). 

For that reason, I'd need to know if anyone has deployed DNSSEC and signed zones and then stored those RRSIG, NSEC and DNSKEY records on a MySQL backend using DLZ as a way to get those entries dinamically. 

I'd really appreciate your replies :) 

I've been dealing with DLZ systems for the better part of a few years now. Unless something has changed I am not aware of in the last 12 months, I can offer a few suggestions. 

Make sure you test load. Find the fastest reading DB backend you are comfortable with. Then performance test it. The load of a medium to heavy system on the database is significant. 

Doing 1000's of DNS lookups per second on a non DLZ system is generally not too hard to build out. Doing 1000's of selects on a database, DLZ or not, is significantly more challenging. 

Keep in mind, 1 lookup generally is not 1 database lookup in DLZ, but will take a few to get the final answer. 

I find DLZ really shines when you are adding and removing domains often and need instant access to those changes. If you are not making many changes to your records, the performance hit is not worth the ease of records management you gained. 

If reloading named starts to take too long, DLZ will come into play. You will more than likely want to look at ways of distributing multiple DLZ systems. 

There is a competing product for which I have no experience with. I'm sure you can find it in google. I would explore the pros and cons of any alternative system as well as BIND/named standalone, and of course a DLZ backed method. 

I have never had to implement signed zones before. If that data is within the zone, I see no reason why DLZ would not be able to return the correct response. 
Scott * If you contact me off list replace talklists@ with scott@ * 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the bind-users mailing list