1) DNSSEC: I note that powerdns indicates it supports all of the current signing algorithms. I updated my zones to include most of them. However, although 4 of them "validate," they are not loading. Is your version of powerdns current (i.e. version 4.0 or better)? cf.
https://doc.powerdns.com/authoritative/dnssec/profile.html (indicating which DNSSEC algorithms are supported). I can only guess it's rejecting the zones due to unknown signature algorithms. (Dns.he.net should provide more help, like actual log messages, but currently doesn't). I used algorithms 7, 8, 10, and 12-14. Algorithms 15 and 16 don't yet seem to be supported by BIND (9.12.1), so I didn't use them.
2) The only hint at size restrictions listed on dns.he.net is that "zones over 10000 records will be purged." However, I note that with the additional DNSSEC signatures added to my zones, only the 4 which have less than 1000 records (note: a factor of 10 less) when signed will "validate" (see the "validate" button at dns.he.net's slave zone page). The others, which range from about 1,800 to 5,000, don't. This is less than the 10,000 indicated up front. Is the limit really one thousand, not ten thousand? If so, I'll cut back my signatures to algorithm 7 only (so as to fit).
Author
Topic: DNSSEC support? (Read 19167 times)