Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Pages: 1 [2]

Author Topic: DNSSEC support?  (Read 21989 times)

snarked

  • Hero Member
  • *****
  • Posts: 774
Requesting updated information on DNSSEC support and a question about zone size.
« Reply #15 on: June 07, 2018, 03:46:51 PM »
1)  DNSSEC:  I note that powerdns indicates it supports all of the current signing algorithms.  I updated my zones to include most of them.  However, although 4 of them "validate," they are not loading.  Is your version of powerdns current (i.e. version 4.0 or better)?  cf.  https://doc.powerdns.com/authoritative/dnssec/profile.html  (indicating which DNSSEC algorithms are supported).  I can only guess it's rejecting the zones due to unknown signature algorithms.  (Dns.he.net should provide more help, like actual log messages, but currently doesn't).  I used algorithms 7, 8, 10, and 12-14.  Algorithms 15 and 16 don't yet seem to be supported by BIND (9.12.1), so I didn't use them.

2)  The only hint at size restrictions listed on dns.he.net is that "zones over 10000 records will be purged."  However, I note that with the additional DNSSEC signatures added to my zones, only the 4 which have less than 1000 records (note:  a factor of 10 less) when signed will "validate" (see the "validate" button at dns.he.net's slave zone page).  The others, which range from about 1,800 to 5,000, don't.  This is less than the 10,000 indicated up front.  Is the limit really one thousand, not ten thousand?  If so, I'll cut back my signatures to algorithm 7 only (so as to fit).
Logged

snarked

  • Hero Member
  • *****
  • Posts: 774
Re: DNSSEC support?
« Reply #16 on: July 03, 2018, 10:40:28 PM »
Follow-up:  Cutting back to signing my zones with only algorithm 7 (and NOT 8, 10, 12, 13, and 14) resulted in my zones being servable again.

Looks as if the DNS server software needs an upgrade and/or the zone size needs to be increased to accommodate the additional records that DNSSEC adds to each RRset when multiple signing algorithms are used.
Logged

Gee-Gee

  • Newbie
  • *
  • Posts: 2
Re: DNSSEC support?
« Reply #17 on: April 24, 2019, 01:25:02 AM »
I still hope for DNSSEC support on dns.he.net, using it as master.
Logged

hdesk

  • Newbie
  • *
  • Posts: 2
Re: DNSSEC support?
« Reply #18 on: June 07, 2019, 11:40:21 PM »
I have the exact same question. I've tried phrasing it different ways to support but cannot get a direct answer.

As is I would hesitate to cut over to HE's DNS because I have support for DNSSEC now using PowerDNS. I would be sacrificing security for performance, which is a questionable motive as performance is not particularly awesome but is okay at the time.
Logged

Gee-Gee

  • Newbie
  • *
  • Posts: 2
Re: DNSSEC support?
« Reply #19 on: July 02, 2019, 06:38:01 AM »
I'm desparately looking for DNSSEC support too, using dns.he.net and its webinterface as master/primary dns server.
Logged

dersch

  • Newbie
  • *
  • Posts: 1
Re: DNSSEC support?
« Reply #20 on: February 25, 2020, 11:39:57 AM »
seems still no support yet :(
Logged

hucste

  • Newbie
  • *
  • Posts: 3
Re: DNSSEC support?
« Reply #21 on: February 26, 2020, 04:04:26 PM »
Quote from: Gee-Gee on July 02, 2019, 06:38:01 AM
I'm desparately looking for DNSSEC support too, using dns.he.net and its webinterface as master/primary dns server.

As master/primary dns server, it's currently not possible.

DNSSEC support is only if dns he.net are slaves.
Logged
Pages: 1 [2]
« previous next »