DNSSEC and Geodns
Mike McGrath
mmcgrath at redhat.com
Sat Nov 21 04:22:19 UTC 2009
On Fri, 20 Nov 2009, Mike McGrath wrote:
> On Fri, 20 Nov 2009, Stephen John Smoogen wrote:
>
> > On Fri, Nov 20, 2009 at 8:13 PM, Mike McGrath <mmcgrath at redhat.com> wrote:
> > > On Fri, 20 Nov 2009, Stephen John Smoogen wrote:
> > >
> > >> On Fri, Nov 20, 2009 at 3:09 PM, Mike McGrath <mmcgrath at redhat.com> wrote:
> > >> > Nothing's ever easy, is it?
> > >> >
> > >> > So I got pdns up and going this afternoon with it's geo back end. It's
> > >> > working as expected and everything is good. The problem is pdns's dnssec
> > >> > implementation is... not particularly mature or really even usable AFAIK
> > >> > with geodns.
> > >> >
> > >> > Anyone out there doing both geo location and dnssec with their name
> > >> > servers?
> > >>
> > >> Not really. Most places I know do not do dns-sec (either waiting until
> > >> .com/.org is signed or until its required) or if they are doing
> > >> dns-sec aren't doing geoip. The solutions that comes to mind would be
> > >> to have the geoip code in an unsigned sub-zone. Its not great but
> > >> until 2011 I don't see it being much better.
> > >>
> > >
> > > Ugh, I really don't want to have to choose, nb did great work with getting
> > > dnssec going.
> >
> > I would only do it for a subzone and not for the main one. Basically
> > have ns1/ns2 have the signed zones and the subzones on another one.
> >
>
> So, for example 'fedoraproject.org' wouldn't be signed, but
> 'us.fedoraproject.org' would be? I *think* that's possible but I haven't
> gotten it to work. If I can get that to work though I guess that makes
> sense because A) it'd work for now and B) I'm sure over time pdns's dnssec
> will continue to mature.
>
I should explain this to people not familiar with pdns with the geo
backend (as I was unfamiliar about 12 hours ago :)
right now I've got powerdns to literally pull from our normal bind configs
(with a few modifications). pdns uses this for most of it's data. But
the geo ip lookups would happen prior to the bind lookups and the way it's
setup now would return a cname. So, depending on where you are located
and how we set things up. 'fedoraproject.org' would point to
us.fedoraproject.org or de.fedoraproject.org or maybe even na or
eu.fedoraproject.org.
AFAIK, that cname can't be signed with the way pdns currently works.
*however* I think what the cname points to could be signed. I'm not sure
if this completely bypasses what dnssec would get us or not but I suspect
it's the a record signings that are the most important.
Thoughts?
-Mike
More information about the Fedora-infrastructure-list
mailing list