BIND 9.7.1 + DLZ + DNSSEC: Possible?

Evan Hunt each at
Wed Sep 15 03:06:48 UTC 2010

> My name is Kevin and I'm working with the Argentina ccTLD team to upgrade
> our local NS systems and our goal is to load the .ar, and
> subsequent zones using DLZ. Our other task was to deploy DNSSEC here and
> start signing our TLDs, but according to the e-mails I've read (dated
> 2006 mostly) it's not very clear if it's already been possible (it's been
> 4 years since those e-mails were written). 

As far as I know, DLZ has not yet been taught to understand DNSSEC.

I haven't confirmed this personally, but I'll hazard a guess based on
what I've seen of the code.  DLZ might be able to provide normal answers
and RRSIGs when the name exists, but for NXDOMAIN and NOERROR/NODATA
answers, I wouldn't expect it to provide NSEC records correctly in all
cases, and I'm sure it would fail with NSEC3.

If you're planning to use this for a hidden zone master or some such,
where it would only be answering AXFRs, I think it could probably do

Incidentally, BIND 10 can serve authoritative data from a database
back-end; it currently supports SQLite3 and we're planning to add a MySQL
data source driver.  But it won't be ready for production use for
another year or so.

Evan Hunt -- each at
Internet Systems Consortium, Inc.

More information about the bind-users mailing list