Am 06.10.2014 um 04:05 schrieb Viktor Dukhovni:
On Sun, Oct 05, 2014 at 11:01:50PM +0200, Jens Wagner wrote:
I don't understand the issues in detail. Perhaps Jens Wagner will
respond.
It's a question of the publication infrastructure.
Right now, PowerDNS is the only (open source) DNS server supporting both
DNSSEC and large zone counts (unlike the typical registry setup, where you
manage a small number of huge zonefiles).
Can you shed a bit more light on the ways in which BIND/unbound/...
are not entirely suitable to serving a very large dynamic number
of zones?
What are the main obstacles? Does, for example, BIND take too long
to start/reload? Is adding a new zone too disruptive? Something
else?
According to http://unbound.net/ , Unbound is a validating, recursive,
and caching DNS resolver. So it cannot be used as an auth nameserver.
BIND9 itself takes too long to reload, when e.g. adding new zones, and
also needs to load everything into memory.
BIND9 + DLZ patches would work (http://bind-dlz.sourceforge.net/), but
it has a low performance (iirc, it uses the DB driver for all queries
then, and does not use in memory caches). I found some data here:
http://www.sanog.org/resources/sanog14/sanog14-devdas-dns-scalability.pdf
Basically, we are looking for nameservers, that:
1. allow you to add, remove and update zones online, anytime
2. do not 'stutter' or even stop resolving while getting updated, no
matter if single records are updated, or new zones added
3. do not need to keep all zones and records in memory
4. support DNSSEC + NSEC3
5. use internal caching for performance reasons
PowerDNS provides all of the above, BIND9+DLZ does everything but 5.,
MyDNS does everything but 4. (and is outdated).
Most servers that are written for TLDs fail at 2. and or 3. Do you know
any other products? Still hope for BIND10/Bundy.
Best,
- jens
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
