DNSSEC and Geodns
Nigel Jones
dev at nigelj.com
Sat Nov 21 03:27:05 UTC 2009
On Sat, Nov 21, 2009 at 1:18 PM, Stephen John Smoogen <smooge at gmail.com> wrote:
> On Fri, Nov 20, 2009 at 8:13 PM, Mike McGrath <mmcgrath at redhat.com> wrote:
>> On Fri, 20 Nov 2009, Stephen John Smoogen wrote:
>>
>>> On Fri, Nov 20, 2009 at 3:09 PM, Mike McGrath <mmcgrath at redhat.com> wrote:
>>> > Nothing's ever easy, is it?
>>> >
>>> > So I got pdns up and going this afternoon with it's geo back end. It's
>>> > working as expected and everything is good. The problem is pdns's dnssec
>>> > implementation is... not particularly mature or really even usable AFAIK
>>> > with geodns.
>>> >
>>> > Anyone out there doing both geo location and dnssec with their name
>>> > servers?
>>>
>>> Not really. Most places I know do not do dns-sec (either waiting until
>>> .com/.org is signed or until its required) or if they are doing
>>> dns-sec aren't doing geoip. The solutions that comes to mind would be
>>> to have the geoip code in an unsigned sub-zone. Its not great but
>>> until 2011 I don't see it being much better.
>>>
>>
>> Ugh, I really don't want to have to choose, nb did great work with getting
>> dnssec going.
>
> I would only do it for a subzone and not for the main one. Basically
> have ns1/ns2 have the signed zones and the subzones on another one.
Surely this is going to increase the time needed for clients to
perform DNS lookups on the content we got GEO-Located (i.e.
fedoraproject.org/admin.fedoraproject.org)
- Nigel
More information about the infrastructure
mailing list