BIND 9.7.1 + DLZ + DNSSEC: Possible?

Kalman Feher kalman.feher at
Tue Sep 14 20:40:26 UTC 2010

Sign them offline or out of band using a database trigger to initiate the
signing. Your schema might need to change a little though.

For a ccTLD, your private key should probably be secure and offline anyway.
Zone updates should be reasonably automatable using either the BIND dnssec
tools or any of the other toolsets out there.. OpenDNSSEC is the another I¹m
familiar with, but there are more.

Getting that signed zone back into your database is the trick. I¹m not that
familiar with the DLZ backend, but if it can slave a zone from any DNS
server, then you set it up as a secondary to whatever is signing your zones.
If that can¹t be done, you¹ll need to parse the zone file to insert the
records into your live domain table.

On 14/09/10 9:46 PM, "Kevin Mai" <kma at> wrote:

> We have an average of around 11 QPS but we update zones daily (our servers
> store NS delegations mostly and government sites) so it's a daily task to
> approve new domains and update/reload zones.
> We have a good DB infrastructure built in and the fact of having a MySQL
> server that can replicate is a good reason to have DLZ as the backend.
> The other issue we face is signing the zone files, as we are looking forward
> to harden security and sign the .ar ccTLD and the other TLDs (,
>,,, etc). We can sign zone files, but how do we sign
> database entries?
> De: "Scott Haneda" <talklists at>
> Para: "Kevin Mai" <kma at>
> CC: bind-users at
> Enviados: Martes, 14 de Septiembre 2010 16:40:05
> Asunto: Re: BIND 9.7.1 + DLZ + DNSSEC: Possible?
> On Sep 14, 2010, at 12:15 PM, Kevin Mai <kma at> wrote:
>> My name is Kevin and I'm working with the Argentina ccTLD team to upgrade our
>> local NS systems and our goal is to load the .ar, and subsequent
>> zones using DLZ. Our other task was to deploy DNSSEC here and start signing
>> our TLDs, but according to the e-mails I've read (dated 2006 mostly) it's not
>> very clear if it's already been possible (it's been 4 years since those
>> e-mails were written).
>> For that reason, I'd need to know if anyone has deployed DNSSEC and signed
>> zones and then stored those RRSIG, NSEC and DNSKEY records on a MySQL backend
>> using DLZ as a way to get those entries dinamically.
>> I'd really appreciate your replies :)
> I've been dealing with DLZ systems for the better part of a few years now.
> Unless something has changed I am not aware of in the last 12 months, I can
> offer a few suggestions.
> Make sure you test load. Find the fastest reading DB backend you are
> comfortable with. Then performance test it. The load of a medium to heavy
> system on the database is significant.
> Doing 1000's of DNS lookups per second on a non DLZ system is generally not
> too hard to build out. Doing 1000's of selects on a database, DLZ or not, is
> significantly more challenging.
> Keep in mind, 1 lookup generally is not 1 database lookup in DLZ, but will
> take a few to get the final answer.
> I find DLZ really shines when you are adding and removing domains often and
> need instant access to those changes. If you are not making many changes to
> your records, the performance hit is not worth the ease of records management
> you gained. 
> If reloading named starts to take too long, DLZ will come into play. You will
> more than likely want to look at ways of distributing multiple DLZ systems.
> There is a competing product for which I have no experience with. I'm sure you
> can find it in google. I would explore the pros and cons of any alternative
> system as well as BIND/named standalone, and of course a DLZ backed method.
> I have never had to implement signed zones before. If that data is within the
> zone, I see no reason why DLZ would not be able to return the correct
> response. 

Kal Feher 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the bind-users mailing list