[bind10-dev] SQL in BIND 10
Michal 'vorner' Vaner
michal.vaner at nic.cz
Fri Feb 8 08:50:36 UTC 2013
Hello
On Thu, Feb 07, 2013 at 08:20:08PM +0000, Evan Hunt wrote:
> > I've not closely looked into the DNSSEC support of PowerDNS, but my
> > preliminary understanding is that signatures are not in the user
> > database but generated and maintained either in-memory or in some
> > "captive" storage. Is that what people would expect when they want to
> > support DNSSEC with their own provisioning system? Or are they
> > willing to maintain DNSSEC related data in the own system?
>
> In BIND 9 we have a feature called "inline-signing" which allows an
> unsigned zone (either master or slave) to create a signed clone of itself;
> queries are then served from the signed version.
We probably won't get away without the backend somehow declaring its
capabilities. So we could have several options of what it can do:
• Iterate the zone and notify about a change. Then we could cache it in-memory
and sign it on load.
• Full support (iterate, answer queries, provide RRSigs and NSEC3s and stuff).
• Unsigned support. Would it be possible to provide some generic code to
compute the signatures on-demand? I see some trouble with NSEC3, but NSEC
should be doable with some small support, like looking up the previous name
in the zone.
With regards
--
Operator Name Can occur
* Whatever Whereever
Michal 'vorner' Vaner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <https://lists.isc.org/pipermail/bind10-dev/attachments/20130208/2fe5a21f/attachment-0001.bin>
More information about the bind10-dev
mailing list