Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Pages: 1 [2]

Author Topic: DNSSEC support?  (Read 11335 times)

snarked

  • Hero Member
  • *****
  • Posts: 722

1)  DNSSEC:  I note that powerdns indicates it supports all of the current signing algorithms.  I updated my zones to include most of them.  However, although 4 of them "validate," they are not loading.  Is your version of powerdns current (i.e. version 4.0 or better)?  cf.  https://doc.powerdns.com/authoritative/dnssec/profile.html  (indicating which DNSSEC algorithms are supported).  I can only guess it's rejecting the zones due to unknown signature algorithms.  (Dns.he.net should provide more help, like actual log messages, but currently doesn't).  I used algorithms 7, 8, 10, and 12-14.  Algorithms 15 and 16 don't yet seem to be supported by BIND (9.12.1), so I didn't use them.

2)  The only hint at size restrictions listed on dns.he.net is that "zones over 10000 records will be purged."  However, I note that with the additional DNSSEC signatures added to my zones, only the 4 which have less than 1000 records (note:  a factor of 10 less) when signed will "validate" (see the "validate" button at dns.he.net's slave zone page).  The others, which range from about 1,800 to 5,000, don't.  This is less than the 10,000 indicated up front.  Is the limit really one thousand, not ten thousand?  If so, I'll cut back my signatures to algorithm 7 only (so as to fit).
Logged

snarked

  • Hero Member
  • *****
  • Posts: 722
Re: DNSSEC support?
« Reply #16 on: July 03, 2018, 10:40:28 PM »

Follow-up:  Cutting back to signing my zones with only algorithm 7 (and NOT 8, 10, 12, 13, and 14) resulted in my zones being servable again.

Looks as if the DNS server software needs an upgrade and/or the zone size needs to be increased to accommodate the additional records that DNSSEC adds to each RRset when multiple signing algorithms are used.
Logged
Pages: 1 [2]