DNSSEC and Geodns
Mike McGrath
mmcgrath at redhat.com
Sat Nov 21 04:09:14 UTC 2009
On Fri, 20 Nov 2009, Stephen John Smoogen wrote:
> On Fri, Nov 20, 2009 at 8:13 PM, Mike McGrath <mmcgrath at redhat.com> wrote:
> > On Fri, 20 Nov 2009, Stephen John Smoogen wrote:
> >
> >> On Fri, Nov 20, 2009 at 3:09 PM, Mike McGrath <mmcgrath at redhat.com> wrote:
> >> > Nothing's ever easy, is it?
> >> >
> >> > So I got pdns up and going this afternoon with it's geo back end. It's
> >> > working as expected and everything is good. The problem is pdns's dnssec
> >> > implementation is... not particularly mature or really even usable AFAIK
> >> > with geodns.
> >> >
> >> > Anyone out there doing both geo location and dnssec with their name
> >> > servers?
> >>
> >> Not really. Most places I know do not do dns-sec (either waiting until
> >> .com/.org is signed or until its required) or if they are doing
> >> dns-sec aren't doing geoip. The solutions that comes to mind would be
> >> to have the geoip code in an unsigned sub-zone. Its not great but
> >> until 2011 I don't see it being much better.
> >>
> >
> > Ugh, I really don't want to have to choose, nb did great work with getting
> > dnssec going.
>
> I would only do it for a subzone and not for the main one. Basically
> have ns1/ns2 have the signed zones and the subzones on another one.
>
So, for example 'fedoraproject.org' wouldn't be signed, but
'us.fedoraproject.org' would be? I *think* that's possible but I haven't
gotten it to work. If I can get that to work though I guess that makes
sense because A) it'd work for now and B) I'm sure over time pdns's dnssec
will continue to mature.
-Mike
More information about the Fedora-infrastructure-list
mailing list