On Mar 9, 2015, at 2:42 AM, bert hubert wrote: > >> Sounds like the "Supported Record Types" page needs updating to add KX and >> IPSECKEY. > > Patches are welcome. It is very easy to update our Markdown documentation > these days. > https://github.com/PowerDNS/pdns/blob/master/docs/markdown/types.md and press > the edit (pencil) icon. > >> To bad about DNAME. I'd try to submit a patch but I'm a little too busy with >> what I'm doing right now to take the time to learn about PDNS's codebase. > > DNAME is actually available, "experimental-dname-processing” makes that > happen.
Interesting. Thanks for pointing that out to me. However, it says not to combine with DNSSEC in bold letters with an exclamation mark, so that means I can't use it. Out of curiosity, 1) Why can't it be combined with DNSSEC? Is it just not complete yet, and DNAME+DNSSEC support is coming later? Or is it something else? 2) Why does this approximately double query load? > >> TLSA does *not* supersede CAA—they work together. TLSA says "here is the >> valid public key for this host," and the client can reject any certs created >> with other public keys. CAA says "here is the valid certificate authority >> for this host," and the client can reject any certs signed by any other >> certificate authority. TLSA *does* increase security significantly on its >> own, but adding CAA makes it even more secure. > > I you have a CAA record and can point to a client that verifies it, we could > look into it. It is very hard to implement things where we have to hunt for a > client first. Indeed, you're right. I can't find any clients that support CAA. For that matter, it appears that none of the browsers support TLSA/DANE, either. That's a bummer. I was looking forward to rolling that out, but it won't really make a difference. > > Bert Thanks, Nick _______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
