Currently I’m playing around with DNSSEC. The handling of DNSSEC seems a little bit complex to me when looking at my current Bind9 setup. I was following the Debian Wiki page on DNSSEC and related links. The linked howto on HowToForge is a little bit outdated as it targeted to Squeeze. I’ve learned in the meanwhile that Bind9 can do key renewal on its own, but anyway, I did look around if there other nameservers that can handle DNSSEC and came across PowerDNS, which seems to power a large number of european DNSSEC zones.
Whereas Bind9 is well-known, well documented and serving my zones well for years. But I got the impression that DNSSEC is a more or less a mess with Bind9 as it was added on top of it without being well integrated. On the contrary, DNSSEC support is built into PowerDNS as if it was well integrated from scratch on a design level. But on the other hand there doesn’t seem much ressources available on the net about PowerDNS. There’s the official documentation, of course, but this is not as good as the Bind9 documentation. On the plus side you can operate PowerDNS in Bind mode, i.e. using the Bind9 configuration and zone files, even in hybrid-mode that enables you to additionally run a database-based setup.
So, I’m somewhat undecided about how to proceed. Either stay with Bind9 and DNSSEC, completely migrate to PowerDNS and a database setup or use PowerDNS with bind backend? Feel free to comment or respond by your own blog post about your experience. 🙂
UPDATE: Problem solved, please read DNSSEC – Part 2
Still testing DNSSEC
I am running Bind9 for a hidden master and two authoritative servers, although I haven’t tested key rollovers with the registrar yet. I would like some automation for the rollovers at the registrar as doing it through a web interface will be time consuming and error prone and that could be ugly.
My plan is to also try the following:
Hidden master with PowerDNS, probably PowerDNS with bind backend to start with and a VPN for zone transfers.
nsd for the authoritative servers.
Automate the key rollovers to the registrar.
And after that my big wishlist item is use my servers to make it a bit easier for others to run DNSSEC.
I’m using Bind9 (on a Wheezy
I’m using Bind9 (on a Wheezy system) to run my zone including DNSSEC. The version in backports supports inline-signing, which means the zonefile is totally unaffected by the DNSSEC stuff – it looks like it would without DNSSEC. Bind does the signing and re-signing automatically. That’s working beautifully for me.
I didn’t consider alternative though, as I followed a tutorial in a German computer magazine that was written for Bind, which I had already used before.
Trackback: Bind9 vs. PowerDNS – part 2
Trackback from http://blog.windfluechter.net/content/blog/2014/11/08/1703-bind9-vs-powerdns-part-2.