Hi Viktor, Hi Michael,
On Thu, Oct 02, 2014 at 09:02:05PM -0400, Michael Richardson wrote:
Viktor Dukhovni <[email protected]> wrote:
> It seems that DNSSEC deployment *is* by far the main obstacle.
> Registrars need to support DS RRs and ideally be able to host DNSSEC
> domains. Unlike registries looking after one or a handful of
> domains, registrars host thousands to millions of domains. One of
> the issues raised at the DENIC meeting, is that DNSSEC-capable
> nameserver software that scales well to very large zone counts is
> by no means abundant. Reportedly only PowerDNS comes close, and
> at least some registrars are reluctant to put all the eggs in one
> basket and rely on just a single software platform.
Is it a question of the signing infrastructure, or the publication
infrastructure?
I don't understand the issues in detail. Perhaps Jens Wagner will
respond.
It's a question of the publication infrastructure.
Right now, PowerDNS is the only (open source) DNS server supporting both
DNSSEC and large zone counts (unlike the typical registry setup, where
you manage a small number of huge zonefiles).
As a registrar, we allow our customers to add, remove and update DNS
zones, and all those updates get pushed to our publication
infrastructure immediately (~4 seconds delay). Those updates should not
interfere with the resolution of other zones.
Also, to prevent DNS outages caused by attacks and other reasons, we do
not want to rely on a single vendor solution, so we use MyDNS and
PowerDNS together (both implement database backed, cached responses).
However, MyDNS never implemented DNSSEC (and is sort of abandoned),
BIND10/Bundy is (was?) not production ready, and others like YADIFA and
Knot are optimized for TLD operations only. So our options are:
- run DNS using PowerDNS only (works perfectly, but SPOF)
- implement DNSSEC into MyDNS ourselves
- wait for Bundy (or another product) to become production ready
Do you have any suggestions?
Best regards,
- jens
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
