Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Author Topic: DNSSEC for slaves?  (Read 5520 times)

sporkv6

  • Newbie
  • *
  • Posts: 7
DNSSEC for slaves?
« on: March 09, 2017, 05:55:32 PM »

I'm new to DNSSEC with PowerDNS, so I'm possibly fighting two things at once - my ignorance of how PowerDNS compares to BIND in setting things up on my master, and then the possibility that HE.net DNS does not support/transfer all the necessary records.

Can anyone give a solid yes/no on whether *slaving* DNSSEC should work here or not?

I suspect not - when I query my own master for DS records, I get them, and when I query HE, no errors, but also no DS records.  Validated my domain, made sure serials match between master/slave, etc.
Logged

sporkv6

  • Newbie
  • *
  • Posts: 7
Re: DNSSEC for slaves?
« Reply #1 on: March 10, 2017, 09:39:21 AM »

Bump: Anyone?

To simplify, does HE.net's DNS service, when used as a slave/secondary, support DNSSEC?
Logged

broquea

  • Sr. Network Engineer, HE.NET AS6939
  • Administrator
  • Hero Member
  • *****
  • Posts: 1698
Re: DNSSEC for slaves?
« Reply #2 on: March 10, 2017, 10:29:43 AM »

DNSSEC support is not available as of yet.
Logged

primordial

  • Newbie
  • *
  • Posts: 3
Re: DNSSEC for slaves?
« Reply #3 on: May 14, 2017, 01:47:27 PM »

Any chance of getting a status update on this feature?

It's been years that many of us have been waiting patiently. Last discussion in the forum was almost 2 years ago, and the home page still just says "We're looking into this now" which also hasn't changed in years.

Should we give up hope? HE is _awesome_ at being a proponent of IPv6 everywhere, but doesn't seem to have the same fondness for making sure it stays secure and trustworthy.
Logged

snarked

  • Hero Member
  • *****
  • Posts: 728
Re: DNSSEC for slaves?
« Reply #4 on: May 14, 2017, 01:59:13 PM »

It will transfer the DNSSEC records as part of the zone data and store it, but it doesn't serve the data so no signatures go out in response to queries.  Also, there is currently no way to give HE the DS record content (for reverse zones only -- obviously).
Logged

BasicXP

  • Newbie
  • *
  • Posts: 4
Re: DNSSEC for slaves?
« Reply #5 on: August 24, 2017, 10:30:59 AM »

Why won't the servers just return RRSIGs as is? Is there any extra processing required for them?
« Last Edit: August 24, 2017, 10:46:31 AM by BasicXP »
Logged

snarked

  • Hero Member
  • *****
  • Posts: 728
Re: DNSSEC for slaves?
« Reply #6 on: August 25, 2017, 06:42:24 PM »

Serving these records IS extra processing that is not currently supported.
Logged

Jim Whitby

  • Newbie
  • *
  • Posts: 38
  • Jim Whitby
    • My small piece of cyberspace
Re: DNSSEC for slaves?
« Reply #7 on: July 15, 2018, 11:59:38 AM »

Has this policy changed for reverse-ip slaves?
Logged

snarked

  • Hero Member
  • *****
  • Posts: 728
Re: DNSSEC for slaves?
« Reply #8 on: July 22, 2018, 03:09:34 PM »

Not that I have noted.  However, the word from the HE staff is what you need here.  I have personally inserted CSYNC and CDS/CDNSKEY records in all my zones (forward and reverse).  This is a relatively new option that some are working on.  Whether it will be supported here I cannot say.  My domain registrar for my forward zones is working on supporting these record types and their underlying features.
Logged