• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.


Welcome to Hurricane Electric's Tunnelbroker.net forums!

Main Menu

DNSSEC support?

Started by woosingwoo, October 02, 2010, 10:27:26 AM

Previous topic - Next topic


1)  DNSSEC:  I note that powerdns indicates it supports all of the current signing algorithms.  I updated my zones to include most of them.  However, although 4 of them "validate," they are not loading.  Is your version of powerdns current (i.e. version 4.0 or better)?  cf.  https://doc.powerdns.com/authoritative/dnssec/profile.html  (indicating which DNSSEC algorithms are supported).  I can only guess it's rejecting the zones due to unknown signature algorithms.  (Dns.he.net should provide more help, like actual log messages, but currently doesn't).  I used algorithms 7, 8, 10, and 12-14.  Algorithms 15 and 16 don't yet seem to be supported by BIND (9.12.1), so I didn't use them.

2)  The only hint at size restrictions listed on dns.he.net is that "zones over 10000 records will be purged."  However, I note that with the additional DNSSEC signatures added to my zones, only the 4 which have less than 1000 records (note:  a factor of 10 less) when signed will "validate" (see the "validate" button at dns.he.net's slave zone page).  The others, which range from about 1,800 to 5,000, don't.  This is less than the 10,000 indicated up front.  Is the limit really one thousand, not ten thousand?  If so, I'll cut back my signatures to algorithm 7 only (so as to fit).


Follow-up:  Cutting back to signing my zones with only algorithm 7 (and NOT 8, 10, 12, 13, and 14) resulted in my zones being servable again.

Looks as if the DNS server software needs an upgrade and/or the zone size needs to be increased to accommodate the additional records that DNSSEC adds to each RRset when multiple signing algorithms are used.


I still hope for DNSSEC support on dns.he.net, using it as master.


I have the exact same question. I've tried phrasing it different ways to support but cannot get a direct answer.

As is I would hesitate to cut over to HE's DNS because I have support for DNSSEC now using PowerDNS. I would be sacrificing security for performance, which is a questionable motive as performance is not particularly awesome but is okay at the time.


I'm desparately looking for DNSSEC support too, using dns.he.net and its webinterface as master/primary dns server.


seems still no support yet :(


Quote from: Gee-Gee on July 02, 2019, 06:38:01 AM
I'm desparately looking for DNSSEC support too, using dns.he.net and its webinterface as master/primary dns server.

As master/primary dns server, it's currently not possible.

DNSSEC support is only if dns he.net are slaves.


From what I understood, HE does not support DNSSEC yet, but please correct me if I am wrong.

My question is: My domain registrar supports DNSSEC. HE is my DNS provider. If I understand correctly, I need to obtain DS keys from HE and enter them in my registrar interface. Is this currently possible?


he.net's DNS service has support to function as a secondary DNSSEC DNS server.  It cannot act as a primary DNSSEC DNS server, i.e., he.net's DNS service cannot sign zones.  You have to have your sign the zones and then transfer the signed zones to he.net's secondary DNS service.

In a nutshell, here's how I do it...

Have a "hidden primary" DNS server, i.e. it is not public.  On that hidden primary DNS server, I run OpenDNSSEC to sign the zones and NSD to act as  the transfer agent.

When OpenDNSSEC signs a zone, it triggers a script that loads the newly-signed zone into NSD.  NSD then contacts the secondary server at he.net, and the secondary server initiates a zone transfer of the newly signed zone from NSD to he.net.

Also, in answer to your comment, OpenDNSSEC generates the DS keys, which I then insert into my registrar's interface.

I need to note that the DNSSEC at he.net does not support all DNSSEC records, but it does support all the ones I need.  :)


Thank you for the detailed explanation. I am not a very technical person in terms of Web and DNS servers, so my understanding is limited on this topic. What I understood is that I cannot avail DNSSEC with my current setup at HE. I'd need a middleman (a hidden DNS server that acts as primary) that generates required zones/DS keys using openDNSSEC and transfers them to HE (which will be my secondary DNS then).

Is it possible to get a hidden DNS server for free online? Or is it something that one needs to setup at home or subscribe to a paid service?


I do not know of any service that offers a hidden DNS primary.

I do know that the registrar I use (gkg.net) offers free DNS (including DNSSEC which is enabled via a single checkbox.  gkg.net takes care of all the signing details.) for domains that are registered there.  Maybe something like that is more what you need.   I use gkg.net for three of my domains and have been very pleased with them.


Thank you again. I'll check it out.