[dns-operations] PowerDNS & Most Other non-BIND Software Not Impacted by May 5th Root Servers Event

bert hubert bert.hubert at netherlabs.nl
Fri Apr 30 18:14:27 UTC 2010

Hi everybody,

PowerDNS, and probably other DNS implementations that do not have DNSSEC
support rolled out right now, is currently receiving a lot of questions
about if PowerDNS installs will 'go dark' on May 5th.

Especially since the PowerDNS Recursor does not utilize EDNS by default,
some tools are even flagging PowerDNS installations as problematic post May

To allay such fears, we've communicated the message you'll find below. We
would appreciate it if people would point worried users to either this
posting, or to the http://www.powerdns.com website which contains this
statement too.

In addition, if you wrote a tool that can detect if you will be in trouble
post May 5th, could you perhaps author it such that a resolver that issues
only do=0 queries is never flagged as problematic? 

Finally - I note that the first testing versions of 'PowerDNSSEC' are
available from http://www.powerdnssec.org and
http://wiki.powerdns.com/trac/wiki/PDNSSEC . The 'powerdnssec.org' domain is
actually hosted on PowerDNSSEC, and may not be working at all times - hence
the second URL.


Our statement follows:

PowerDNS Software is unaffected by the "signing of the root" on the 5th of
May 2010.

On May 5th of 2010, the last so called "root servers" will gain DNSSEC
support.  Due to some confusion and slightly unclear communication from the
root operators, fears have been raised that this rollout might impact
PowerDNS installations, since they currently lack DNSSEC support.

We made an initial statement that PowerDNS was not affected on March 19th on
the PowerDNS Users mailing list:

We now wish to further emphasise that NO impact is expected or even possible
on the PowerDNS Recursor and the PowerDNS Authoritative Server, from the
'signing of the root' that finishes on May 5th.

In other words, no action at all is required from PowerDNS users. 

Further details can be found in the message linked above. The short version
is that since PowerDNS does not ask 'DNSSEC OK' questions, the responses it
receive are not altered by the rollout of DNSSEC. 

Some other server implementations send out 'DNSSEC OK' questions by default,
and they might be impacted by large packets, fragmentation, EDNS0 blocking
etc. But not PowerDNS.

PS: we note that PowerDNS with DNSSEC support is now available for early
testing on http://www.powerdnssec.org/ Testing is progressing well, and will
lead to a stable release soon. However, we stress that this version is fully
optional, and not needed because of the signing of the root!

More information about the dns-operations mailing list