Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Pages: 1 [2]

Author Topic: DNSSEC support?  (Read 19507 times)

snarked

  • Hero Member
  • *****
  • Posts: 766

1)  DNSSEC:  I note that powerdns indicates it supports all of the current signing algorithms.  I updated my zones to include most of them.  However, although 4 of them "validate," they are not loading.  Is your version of powerdns current (i.e. version 4.0 or better)?  cf.  https://doc.powerdns.com/authoritative/dnssec/profile.html  (indicating which DNSSEC algorithms are supported).  I can only guess it's rejecting the zones due to unknown signature algorithms.  (Dns.he.net should provide more help, like actual log messages, but currently doesn't).  I used algorithms 7, 8, 10, and 12-14.  Algorithms 15 and 16 don't yet seem to be supported by BIND (9.12.1), so I didn't use them.

2)  The only hint at size restrictions listed on dns.he.net is that "zones over 10000 records will be purged."  However, I note that with the additional DNSSEC signatures added to my zones, only the 4 which have less than 1000 records (note:  a factor of 10 less) when signed will "validate" (see the "validate" button at dns.he.net's slave zone page).  The others, which range from about 1,800 to 5,000, don't.  This is less than the 10,000 indicated up front.  Is the limit really one thousand, not ten thousand?  If so, I'll cut back my signatures to algorithm 7 only (so as to fit).
Logged

snarked

  • Hero Member
  • *****
  • Posts: 766
Re: DNSSEC support?
« Reply #16 on: July 03, 2018, 10:40:28 PM »

Follow-up:  Cutting back to signing my zones with only algorithm 7 (and NOT 8, 10, 12, 13, and 14) resulted in my zones being servable again.

Looks as if the DNS server software needs an upgrade and/or the zone size needs to be increased to accommodate the additional records that DNSSEC adds to each RRset when multiple signing algorithms are used.
Logged

Gee-Gee

  • Newbie
  • *
  • Posts: 2
Re: DNSSEC support?
« Reply #17 on: April 24, 2019, 01:25:02 AM »

I still hope for DNSSEC support on dns.he.net, using it as master.
Logged

hdesk

  • Newbie
  • *
  • Posts: 2
Re: DNSSEC support?
« Reply #18 on: June 07, 2019, 11:40:21 PM »

I have the exact same question. I've tried phrasing it different ways to support but cannot get a direct answer.

As is I would hesitate to cut over to HE's DNS because I have support for DNSSEC now using PowerDNS. I would be sacrificing security for performance, which is a questionable motive as performance is not particularly awesome but is okay at the time.
Logged

Gee-Gee

  • Newbie
  • *
  • Posts: 2
Re: DNSSEC support?
« Reply #19 on: July 02, 2019, 06:38:01 AM »

I'm desparately looking for DNSSEC support too, using dns.he.net and its webinterface as master/primary dns server.
Logged
Pages: 1 [2]