PowerDNSSEC: packages available, ready for light production use
Dear PowerDNS Community,
With the help of many of you, we’ve now brought ‘PowerDNSSEC’ to the point where it is in light production. Several of our important domains have already been migrated to the PowerDNS Authoritative Server 3.0 prereleases. Several PowerDNS users have done the same with their domains (please let us know!).
We are pleased to announce the regular availability of documentation, packages and tarballs for testing. On http://powerdnssec.org/downloads/packages you will find RPM/DEB for 32-bit and 64-bit Linux. On http://powerdnssec.org/downloads you will find tarballs which can be compiled on other systems.
For more information head over to http://www.powerdnssec.org (which of course is powered by PowerDNSSEC).
Documentation is on http://doc.powerdns.com/powerdnssec-auth.html
Even more information is on http://wiki.powerdns.com/trac/wiki/PDNSSEC – including how to get started, and how to get help.
In brief, PowerDNSSEC will allow you to continue operating as normal in many cases, with only slight changes to your installation. There is no need to run signing tools, nor is there a need to rotate keys or run scripts.
Particularly, if you run with Generic MySQL, Generic PostgreSQL or Generic SQLite3, you should have an easy time. A small schema update is required, plus an invocation of ‘pdnssec secure-zone domain-name ; pdnssec rectify-zone domain-name’ per domain you want to secure. And that should be
- NSEC3 in ordered mode (pre-hashed records)
- NSEC3 in narrow mode (unmodified records)
- Zone transfers (for NSEC)
- Import of ‘standard’ private keys from BIND/NSD
- Export of ‘standard’ private keys
- “Pure” PostgreSQL, SQLite3 & MySQL operations
- Hybrid BIND/PostgreSQL/SQLite3/MySQL operation
- Front-signing slaved data from legacy installations
See http://doc.powerdns.com/dnssec-supported.html for more specifications.
To join the fun, download the tarball and packages which can be found on the sites above, and let us know how it works for you!
To clarify, we do not recommend taking the current code snapshot into heavy production, but we are getting close.
A very informative article.