Bind 9.8 with dlz and dnssec
Dan
dan at sunsaturn.com
Thu Mar 10 17:54:23 UTC 2011
Evan you looked into why a master in 9.8 will not respond as authoratative
for a dlz+mysql zone even though dig axfr zone from slave works....
Dan.
On Thu, 10 Mar 2011, Evan Hunt wrote:
>> Now DLZ supports dynamic updates and theoretically it is possible to make
>> such tricks:
>>
>> rndc freeze example.com
>> put some new records in database
>> rndc thaw example.com
>> rndc sign example.com
>> rndc freeze example.com
>>
>> That is zone isn't really dynamic, but it is dynamically loadable and
>> signed. Will it work?
>
> DLZ only supports dynamic updates if you're using a back-end that supports
> them. Right now the only combination that works is the DLZ "dlopen" driver
> running the SMB/CIFS module provided in Samba 4, bind_dlz.c. As far as I
> know, that module doesn't understand DNSSEC RRtypes, so I doubt if that
> trick would work today.
>
> Even with a back-end module that can manage DNSSEC records, my guess is
> that it wouldn't answer queries correctly, because AFAIK DLZ doesn't have
> a mechanism for finding the closest previous name, and that's necessary
> for returning a signed NXDOMAIN response. (This problem would also apply
> if you used dnssec-signzone and loaded the signed data into the database
> directly.)
>
> Incidentally, we've been expanding DLZ support further. In 9.8.1, the
> dlopen driver will be part of the default build on unix/linux platforms, no
> longer requiring a configure option, so you can use the Samba module (or
> other modules yet to be written) with a stock BIND 9 build. In 9.9.0,
> we'll be adding support for the dlopen driver on Windows as well. I plan
> to convert the other DLZ drivers (mysql, postgresql, ldap, etc) to back-end
> modules for the dlopen driver at that time as well. I'm not expecting to
> make them support dynamic updates yet, and hadn't even given any thought to
> to the problem of supporting DNSSEC, but we can add those features to the
> roadmap as well if there's user demand.
>
> --
> Evan Hunt -- each at isc.org
> Internet Systems Consortium, Inc.
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
More information about the bind-users
mailing list