[dns-operations] only once - powerdns dnssec ready for testing

bert hubert bert.hubert at netherlabs.nl
Tue Jan 11 12:06:38 UTC 2011

Hi everybody,

I'll do this only once, but given the current momentum around DNSSEC, I
think a single announcement is warranted.  Another excuse is that
'different' DNSSEC implementations are bound to cause operational effects. 
We've already confused several 'DNSSEC domain test sites', as a case in
point.  We try not to, though.

A version of this message with many clickable links is on

With the help of many of you, we've now brought 'PowerDNSSEC' to the point
where it is in light production. Several of our important domains have
already been migrated to the PowerDNS Authoritative Server 3.0 prereleases. 
Several PowerDNS users have done the same with their domains (please let us

We are pleased to announce the regular availability of documentation,
packages and tarballs for testing.  On
http://powerdnssec.org/downloads/packages you will find RPM/DEB for 32-bit
and 64-bit Linux.  On http://powerdnssec.org/downloads you will find
tarballs which can be compiled on other systems.

For more information head over to http://www.powerdnssec.org (which of
course is powered by PowerDNSSEC).  

Documentation is on http://doc.powerdns.com/powerdnssec-auth.html

Even more information is on http://wiki.powerdns.com/trac/wiki/PDNSSEC -
including how to get started, and how to get help.

In brief, PowerDNSSEC will allow you to continue operating as normal in many
cases, with only slight changes to your installation. There is no need to
run signing tools, nor is there a need to rotate keys or run scripts.

Particularly, if you run with Generic MySQL, Generic PostgreSQL or Generic
SQLite3, you should have an easy time. A small schema update is required,
plus an invocation of 'pdnssec secure-zone domain-name ; pdnssec
rectify-zone domain-name' per domain you want to secure. And that should be

Supported are:
	* NSEC3 in ordered mode (pre-hashed records)
	* NSEC3 in narrow mode (unmodified records)
	* Zone transfers (for NSEC)
	* Import of 'standard' private keys from BIND/NSD
	* Export of 'standard' private keys
	* RSASHA256
	* "Pure" PostgreSQL, SQLite3 & MySQL operations
	* Hybrid BIND/PostgreSQL/SQLite3/MySQL operation
	* Front-signing slaved data from legacy installations

See http://doc.powerdns.com/dnssec-supported.html for more specifications.

To join the fun, download the tarball and packages which can be found on the
sites above, and let us know how it works for you!

To clarify, we do not recommend taking the current code snapshot into
heavy production, but we are getting close.

Kind regards,

More information about the dns-operations mailing list