[dns-operations] PowerDns Recursive Daemon

bert hubert bert.hubert at netherlabs.nl
Thu Aug 31 22:42:00 UTC 2006

On Thu, Aug 31, 2006 at 03:24:27PM -0700, Doug Barton wrote:

> Does it work over IPv4 TCP?
> Does it handle EDNS queries, and if so how?

Yes, both just fine. 

> Does it use EDNS for queries?

No - the probing required to see of the remote grasps EDNS0 is rather a big
slowdown, whereas there are very limited opportunities to benefit from the
larger packet size EDNS0 allows. I've asked around a bit and it appears larger
UDP packet sizes are not considered a big gain - if they work at all!

We do send out larger answers if a client indicates it is able to accept
them. I've kept a counter on a 300.000 user deployment over a few days and
it never happened.

> How do you handle the CD bit?
> Is it capable of doing DNSSEC, and if so, does it handle the current (bis)
> revision?
> What are your development plans for handling NSEC<blah> when the dust settles?

Our plans are not to implement DNSSEC until a spec emerges that promises to
be workable and balance complexity versus security well enough. The current
specifications are deemed by us to be overly complex, unfinished and
practically unworkable.

I actually read almost all the DNSSEC traffic on the relevant mailing lists,
and I sincerely fear the whole protocol is going nowhere. Issues are being
found at a rate that far exceeds the speeds at which they can be resolved.

DNSSEC will never be a full solution for data integrity, or even
confidentiality or exclusivity. As such, its limited benefits justify only
limited complexity. We also don't do 'ARPSEC'.

We are fully aware many people need to be able to tick the box that says
'DNSSEC', but in real life it is just not worth the effort.

We'd love to work on "pretty secure DNS" though, something that would be
simple yet easily many orders of magnitude harder to subvert.

http://www.ietf.org/internet-drafts/draft-hubert-dns-anti-spoofing-00.txt is
a start.

> I assume at this late date that it handles AAAA records, but does it work
> over IPv6 transport (TCP and UDP, listening and querying)?

IPv6 is a first class citizen within the PowerDNS recursor, there is no
difference between how it uses IPv4 and IPv6, both to clients and servers.

> Of course, if there is documentation for these questions somewhere, feel
> free to point me to that rather than typing it all up again yourself.


offer rather exhaustive details of how the recursor works.

Thanks for your questions!


http://www.PowerDNS.com      Open source, database driven DNS Software 
http://netherlabs.nl              Open and Closed source services

More information about the dns-operations mailing list