[dns-operations] PowerDns Recursive Daemon
dougb at dougbarton.us
Sat Sep 2 04:59:17 UTC 2006
On Fri, 1 Sep 2006, bert hubert wrote:
> On Thu, Aug 31, 2006 at 03:24:27PM -0700, Doug Barton wrote:
>> Does it work over IPv4 TCP?
>> Does it handle EDNS queries, and if so how?
> Yes, both just fine.
Glad to hear that about TCP, but I find your statement here in regards to
>> Does it use EDNS for queries?
> No - the probing required to see of the remote grasps EDNS0 is rather a
> big slowdown, whereas there are very limited opportunities to benefit from
> the larger packet size EDNS0 allows.
I can't speak to the first bit, but I think that Roy had some very good
points to make regarding what's coming down the pipe.
> We do send out larger answers if a client indicates it is able to accept
> them. I've kept a counter on a 300.000 user deployment over a few days and
> it never happened.
I'd be very interested to hear what your testing conditions and methodology
were. Given the large deployed base of BINDs 8 and 9, I find it hard to
believe that any authoritative name server exposed to a reasonably
significant amount of traffic would not get a large number of EDNS aware
resolvers hitting it. If you're referring to resolving name servers, that's
a different story, but not relevant to your example.
>> How do you handle the CD bit? Is it capable of doing DNSSEC, and if so,
>> does it handle the current (bis) revision? What are your development
>> plans for handling NSEC<blah> when the dust settles?
> Our plans are not to implement DNSSEC until a spec emerges that promises
> to be workable and balance complexity versus security well enough.
I remember a presentation about PowerDNS at a RIPE DNS WG meeting a while
ago where this point was discussed, so thanks for confirming that I haven't
completely lost my mind. :)
> DNSSEC will never be a full solution for data integrity, or even
> confidentiality or exclusivity.
I agree with you there, but I think it's worthwhile to briefly point out
that DNSSEC is not trying to be any of those things.
> We are fully aware many people need to be able to tick the box that says
> 'DNSSEC', but in real life it is just not worth the effort.
Thank you for articulating your philosophy so succinctly.
>> I assume at this late date that it handles AAAA records, but does it work
>> over IPv6 transport (TCP and UDP, listening and querying)?
> IPv6 is a first class citizen within the PowerDNS recursor, there is no
> difference between how it uses IPv4 and IPv6, both to clients and servers.
Good to know!
>> Of course, if there is documentation for these questions somewhere, feel
>> free to point me to that rather than typing it all up again yourself.
> offer rather exhaustive details of how the recursor works.
> Thanks for your questions!
And thank you for your answers, they were very valuable.
If you're never wrong, you're not trying hard enough.
More information about the dns-operations