[Dnssec-deployment] PowerDNSSEC Progress: ready for a first look

bert hubert bert.hubert at netherlabs.nl
Thu Jan 6 16:46:40 EST 2011 

Dear DNSSEC Deployment Community,

With the help of many of you, we've now brought 'PowerDNSSEC' to the point
where it might make sense for you to trial it on test domains.  We expect to
make move some of our own important domains over to PowerDNSSEC early next
week. PowerDNS.COM underlies the commercial DNS hosting service 'Express',
and may have to wait a bit longer.

PowerDNS is carrier-grade supported open source. We expect our DNSSEC
implementation to be suitable for deployment soonish.

Documentation-style description on how things work in practice can be found
from http://doc.powerdns.com/powerdnssec-auth.html including a brief
introduction into things a (PowerDNSSEC) operator needs to know about
DNSSEC.

To test, head over to http://www.powerdnssec.org (which of course is powered
by PowerDNSSEC). More information is on
http://wiki.powerdns.com/trac/wiki/PDNSSEC - including how to get started,
and how to get help.

In brief, PowerDNSSEC will allow you to continue operating as normal in many
cases, with only slight changes to your installation. There is no need to
run signing tools, nor is there a need to rotate keys or run scripts.

Particularly, if you run with Generic MySQL, Generic PostgreSQL or Generic
SQLite3 backends, you should have an easy time.  A small schema update is
required, plus an invocation of 'pdnssec secure-zone domain-name && pdnssec
rectify-zone domain-name' per domain you want to secure.  And that should be
it. This is detailed on http://doc.powerdns.com/dnssec-migration.html

PowerDNS (for now) is exclusively an online-signing solution.

Supported are:
	* NSEC
	* NSEC3 in ordered mode (pre-hashed records)
	* NSEC3 in narrow mode (unmodified records)
		(as discussed here earlier in the week)
	* Being a 'signing-slave' for legacy hidden master 
	* Zone transfers (for NSEC)
	* Import of 'standard' private keys from BIND/NSD
	* Export of 'standard' private keys
	* RSASHA1
	* "Pure" PostgreSQL, SQLite3 & MySQL operations
	* Hybrid BIND/PostgreSQL/SQLite3/MySQL operation

To join the fun, download the tarball which can be found on the sites above,
and let us know how it works for you!

To clarify, we do not recommend taking the current code snapshot into
production, but we are getting close.

Kind regards,
Bert Hubert

Netherlabs Computer Consulting BV

More information about the Dnssec-deployment mailing list