Bind 9.8 with dlz and dnssec

[Evan Hunt]

> Now DLZ supports dynamic updates and theoretically it is possible to make
> such tricks:
> 
> rndc freeze example.com
> put some new records in database
> rndc thaw example.com
> rndc sign example.com
> rndc freeze example.com
> 
> That is zone isn't really dynamic, but it is dynamically loadable and
> signed.  Will it work?

DLZ only supports dynamic updates if you're using a back-end that supports
them.  Right now the only combination that works is the DLZ "dlopen" driver
running the SMB/CIFS module provided in Samba 4, bind_dlz.c.  As far as I
know, that module doesn't understand DNSSEC RRtypes, so I doubt if that
trick would work today.

Even with a back-end module that can manage DNSSEC records, my guess is
that it wouldn't answer queries correctly, because AFAIK DLZ doesn't have
a mechanism for finding the closest previous name, and that's necessary
for returning a signed NXDOMAIN response.  (This problem would also apply
if you used dnssec-signzone and loaded the signed data into the database
directly.)

Incidentally, we've been expanding DLZ support further.  In 9.8.1, the
dlopen driver will be part of the default build on unix/linux platforms, no
longer requiring a configure option, so you can use the Samba module (or
other modules yet to be written) with a stock BIND 9 build.  In 9.9.0,
we'll be adding support for the dlopen driver on Windows as well.  I plan
to convert the other DLZ drivers (mysql, postgresql, ldap, etc) to back-end
modules for the dlopen driver at that time as well.  I'm not expecting to
make them support dynamic updates yet, and hadn't even given any thought to
to the problem of supporting DNSSEC, but we can add those features to the
roadmap as well if there's user demand.

-- 
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.