Bind 9.8 with dlz and dnssec

Peter Andreev andreev.peter at gmail.com
Thu Mar 10 18:10:22 UTC 2011 

2011/3/10 Evan Hunt <each at isc.org>
>
> > Now DLZ supports dynamic updates and theoretically it is possible to
make
> > such tricks:
> >
> > rndc freeze example.com
> > put some new records in database
> > rndc thaw example.com
> > rndc sign example.com
> > rndc freeze example.com
> >
> > That is zone isn't really dynamic, but it is dynamically loadable and
> > signed.  Will it work?
>
> DLZ only supports dynamic updates if you're using a back-end that supports
> them.  Right now the only combination that works is the DLZ "dlopen"
driver
> running the SMB/CIFS module provided in Samba 4, bind_dlz.c.  As far as I
> know, that module doesn't understand DNSSEC RRtypes, so I doubt if that
> trick would work today.
>
> Even with a back-end module that can manage DNSSEC records, my guess is
> that it wouldn't answer queries correctly, because AFAIK DLZ doesn't have
> a mechanism for finding the closest previous name, and that's necessary
> for returning a signed NXDOMAIN response.  (This problem would also apply
> if you used dnssec-signzone and loaded the signed data into the database
> directly.)
>
> Incidentally, we've been expanding DLZ support further.  In 9.8.1, the
> dlopen driver will be part of the default build on unix/linux platforms,
no
> longer requiring a configure option, so you can use the Samba module (or
> other modules yet to be written) with a stock BIND 9 build.  In 9.9.0,
> we'll be adding support for the dlopen driver on Windows as well.  I plan
> to convert the other DLZ drivers (mysql, postgresql, ldap, etc) to
back-end
> modules for the dlopen driver at that time as well.  I'm not expecting to
> make them support dynamic updates yet, and hadn't even given any thought
to
> to the problem of supporting DNSSEC, but we can add those features to the
> roadmap as well if there's user demand.
>
> --
> Evan Hunt -- each at isc.org
> Internet Systems Consortium, Inc.

Thank you, Evan

I'd like to add my vote for DNSSEC in DLZ to Christian's one :)


--
--
AP
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110310/1c0f908f/attachment.html>

More information about the bind-users mailing list