[bind10-dev] SQL in BIND 10
Shane Kerr
shane at isc.org
Fri Feb 8 15:26:49 UTC 2013
Evan,
On Thursday, 2013-02-07 20:20:08 +0000,
Evan Hunt <each at isc.org> wrote:
> > I've not closely looked into the DNSSEC support of PowerDNS, but my
> > preliminary understanding is that signatures are not in the user
> > database but generated and maintained either in-memory or in some
> > "captive" storage. Is that what people would expect when they want
> > to support DNSSEC with their own provisioning system? Or are they
> > willing to maintain DNSSEC related data in the own system?
>
> In BIND 9 we have a feature called "inline-signing" which allows an
> unsigned zone (either master or slave) to create a signed clone of
> itself; queries are then served from the signed version.
This seems like a brilliant solution, which means it is either an
elegant design or a clever hack, depending on how you look at it.
It probably won't scale that well if you're taking differences between
database contents, but it should be fine for domains with a few dozen
or even a few hundred records, which is 99% of the world. TLDs can use
a "captive" model. :)
> A similar architecture would make sense for BIND 10, I think. But if
> the database doesn't have that ability to send a signal when there's
> new data, then I don't see any for it to work, so this might end up
> being a capability we disable when using certain databases.
We could still support it based on polling for changes periodically,
with various hacks to improve speed if users were willing to employ
them.
Cheers,
--
Shane
More information about the bind10-dev
mailing list