[dns-operations] PowerDns Recursive Daemon

Doug Barton dougb at dougbarton.us
Sat Sep 2 04:59:17 UTC 2006

On Fri, 1 Sep 2006, bert hubert wrote:

> On Thu, Aug 31, 2006 at 03:24:27PM -0700, Doug Barton wrote:
>> Does it work over IPv4 TCP?
>> Does it handle EDNS queries, and if so how?
> Yes, both just fine.

Glad to hear that about TCP, but I find your statement here in regards to 
EDNS interesting.

>> Does it use EDNS for queries?
> No - the probing required to see of the remote grasps EDNS0 is rather a 
> big slowdown, whereas there are very limited opportunities to benefit from 
> the larger packet size EDNS0 allows.

I can't speak to the first bit, but I think that Roy had some very good 
points to make regarding what's coming down the pipe.

> We do send out larger answers if a client indicates it is able to accept
> them. I've kept a counter on a 300.000 user deployment over a few days and
> it never happened.

I'd be very interested to hear what your testing conditions and methodology 
were. Given the large deployed base of BINDs 8 and 9, I find it hard to 
believe that any authoritative name server exposed to a reasonably 
significant amount of traffic would not get a large number of EDNS aware 
resolvers hitting it. If you're referring to resolving name servers, that's 
a different story, but not relevant to your example.

>> How do you handle the CD bit? Is it capable of doing DNSSEC, and if so, 
>> does it handle the current (bis) revision? What are your development 
>> plans for handling NSEC<blah> when the dust settles?
> Our plans are not to implement DNSSEC until a spec emerges that promises 
> to be workable and balance complexity versus security well enough.

I remember a presentation about PowerDNS at a RIPE DNS WG meeting a while 
ago where this point was discussed, so thanks for confirming that I haven't 
completely lost my mind. :)

> DNSSEC will never be a full solution for data integrity, or even
> confidentiality or exclusivity.

I agree with you there, but I think it's worthwhile to briefly point out 
that DNSSEC is not trying to be any of those things.

> We are fully aware many people need to be able to tick the box that says
> 'DNSSEC', but in real life it is just not worth the effort.

Thank you for articulating your philosophy so succinctly.

>> I assume at this late date that it handles AAAA records, but does it work
>> over IPv6 transport (TCP and UDP, listening and querying)?
> IPv6 is a first class citizen within the PowerDNS recursor, there is no
> difference between how it uses IPv4 and IPv6, both to clients and servers.

Good to know!

>> Of course, if there is documentation for these questions somewhere, feel
>> free to point me to that rather than typing it all up again yourself.
> http://doc.powerdns.com/recursor-details.html
> and
> http://doc.powerdns.com/recursor-design-and-engineering.html
> offer rather exhaustive details of how the recursor works.
> Thanks for your questions!

And thank you for your answers, they were very valuable.



 	If you're never wrong, you're not trying hard enough.

More information about the dns-operations mailing list