Hey fellas… I searched the docs & forums regarding DNSSEC and couldn’t (amazingly) find anything mentioning it. I’ve done some looking around (as I’ve had already read of Bernstein’s disdain for DNSSEC) to see if there were any recent work to make djbdns support DNSSEC as a result of the push to get all domains signed with DNSSEC by Q1 2011. Sadly, I’ve not found any efforts. Does anyone know of anyone working on such a project?
Also, interworx guys, are you working on IPv6 support in djbdns and the UI? Or, at least going to work on it this year? We’ll likely all need it at some point in the future (how far who knows… moving targets are great). I was considering dual-stacking a box for testing and play. I was just wondering if this would be possible with iworx at some point in the not too distant future.
DNSSEC on the other hand could be quite some time (meaning next year or never) before it is supported due to the use of djbdns. The original creator, D.J. Bernstein, has a disdain for DNSSEC and IPv6. IPv6 support was only added due to a third party writing a patch to support it. DNSSEC may or may not be the recipient of a similar patch at some point in the future. The reason this has not received a response from the InterWorx crew is because they are in a “wait and see” position on this and obviously don’t want to make any public statements about this. Privately, they have a disdain for non D.J. Bernstein ware. Their reasoning against using bind is difficulty in programmatically dealing with the config files (which has to be done for apache, btw) and the number of security patches / exploits bind has had over the years. (One of the same arguments that Windows & MacOS uses have had for years. And, one that has been shown to be false. Once a particular platform becomes relevant enough to make it worth finding holes then they do.) A majority of exploitations have occurred to incorrect configurations, not actual code errors. Yes, exploits due to code errors have occured. But, FAR less than exploits due to poorly configured bind servers. They said they are keeping an eye on other DNS server software (outside of bind) as well. Currently, that only really leaves 1 viable (for dns on a shared hosting box scenario) alternative. DNS has shown, to me, to be their weakest point.
Hopefully it catches up with the rest of the system by the end of this year. (The rest of the system being an awesome product offering.)
At the moment, it’s not so much “supported” as “not prevented”
Sometime in late 2010, I think with the 4.7.2 release, the rpms of supporting software were updated with patches/versions that allow IPv6. While possible now, in 4.8, AAAA records become much easier to add to the DNS zones.
What remains missing, however, is a simple means to manage it via the GUI, other than via the DNS zones. The breadth of IPv6 (purely number of records here) makes our current approach unworkable. No one wants to wait for a drop down to load with 4,000,000,000,000 IPs in it!
Additionally, the one-to-one relationship of IPs and SiteWorx accounts needs to be improved. This is, unfortunately, an old and powerful magic, so it got bumped from the 4.8 release schedule. IPv6 is front and center for the next release, however.
@omaticon - I want to bring up one other point regarding migration to another DNS server. DNS is a Big Important Thing to us and to our customers. DNSSEC will not be a drop-in feature for us. We don’t have disdain for other solutions, but we do have a healthy respect for the risks involved in switching to another system. To date, the cons outweigh the pros.
