On Mon, Mar 09, 2015 at 12:00:52PM -0500, Nick Williams wrote: > > On Mar 9, 2015, at 2:42 AM, bert hubert wrote: > > > > >> Sounds like the "Supported Record Types" page needs updating to add KX and > >> IPSECKEY. > > > > Patches are welcome. It is very easy to update our Markdown documentation > > these days. > > https://github.com/PowerDNS/pdns/blob/master/docs/markdown/types.md and > > press the edit (pencil) icon. > > > >> To bad about DNAME. I'd try to submit a patch but I'm a little too busy > >> with what I'm doing right now to take the time to learn about PDNS's > >> codebase. > > > > DNAME is actually available, "experimental-dname-processing” makes that > > happen. > > Interesting. Thanks for pointing that out to me. However, it says not to > combine with DNSSEC in bold letters with an exclamation mark, so that means I > can't use it. > > Out of curiosity, 1) Why can't it be combined with DNSSEC? Is it just not > complete yet, and DNAME+DNSSEC support is coming later? Or is it something > else? 2) Why does this approximately double query load? > > > > >> TLSA does *not* supersede CAA—they work together. TLSA says "here is the > >> valid public key for this host," and the client can reject any certs > >> created with other public keys. CAA says "here is the valid certificate > >> authority for this host," and the client can reject any certs signed by > >> any other certificate authority. TLSA *does* increase security > >> significantly on its own, but adding CAA makes it even more secure. > > > > I you have a CAA record and can point to a client that verifies it, we > > could look into it. It is very hard to implement things where we have to > > hunt for a client first. > > Indeed, you're right. I can't find any clients that support CAA. For that > matter, it appears that none of the browsers support TLSA/DANE, either. > That's a bummer. I was looking forward to rolling that out, but it won't > really make a difference. > > > > > Bert > > Thanks, > > Nick >
There is firefox plugin for TLSA, at least. Aki _______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
