BIND 9.7.1 + DLZ + DNSSEC: Possible?
Evan Hunt
each at isc.org
Wed Sep 15 03:06:48 UTC 2010
>
> My name is Kevin and I'm working with the Argentina ccTLD team to upgrade
> our local NS systems and our goal is to load the .ar, .com.ar and
> subsequent zones using DLZ. Our other task was to deploy DNSSEC here and
> start signing our TLDs, but according to the e-mails I've read (dated
> 2006 mostly) it's not very clear if it's already been possible (it's been
> 4 years since those e-mails were written).
As far as I know, DLZ has not yet been taught to understand DNSSEC.
I haven't confirmed this personally, but I'll hazard a guess based on
what I've seen of the code. DLZ might be able to provide normal answers
and RRSIGs when the name exists, but for NXDOMAIN and NOERROR/NODATA
answers, I wouldn't expect it to provide NSEC records correctly in all
cases, and I'm sure it would fail with NSEC3.
If you're planning to use this for a hidden zone master or some such,
where it would only be answering AXFRs, I think it could probably do
that.
Incidentally, BIND 10 can serve authoritative data from a database
back-end; it currently supports SQLite3 and we're planning to add a MySQL
data source driver. But it won't be ready for production use for
another year or so.
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list