DNSSEC and Geodns

[Stephen John Smoogen]

On Fri, Nov 20, 2009 at 9:09 PM, Mike McGrath <mmcgrath at redhat.com> wrote:
> On Fri, 20 Nov 2009, Stephen John Smoogen wrote:
>
>> On Fri, Nov 20, 2009 at 8:13 PM, Mike McGrath <mmcgrath at redhat.com> wrote:
>> > On Fri, 20 Nov 2009, Stephen John Smoogen wrote:
>> >
>> >> On Fri, Nov 20, 2009 at 3:09 PM, Mike McGrath <mmcgrath at redhat.com> wrote:
>> >> > Nothing's ever easy, is it?
>> >> >
>> >> > So I got pdns up and going this afternoon with it's geo back end.  It's
>> >> > working as expected and everything is good.  The problem is pdns's dnssec
>> >> > implementation is...  not particularly mature or really even usable AFAIK
>> >> > with geodns.
>> >> >
>> >> > Anyone out there doing both geo location and dnssec with their name
>> >> > servers?
>> >>
>> >> Not really. Most places I know do not do dns-sec (either waiting until
>> >> .com/.org is signed or until its required) or if they are doing
>> >> dns-sec aren't doing geoip. The solutions that comes to mind would be
>> >> to have the geoip code in an unsigned sub-zone. Its not great but
>> >> until 2011 I don't see it being much better.
>> >>
>> >
>> > Ugh, I really don't want to have to choose, nb did great work with getting
>> > dnssec going.
>>
>> I would only do it for a subzone and not for the main one. Basically
>> have ns1/ns2 have the signed zones and the subzones on another one.
>>
>
> So, for example 'fedoraproject.org' wouldn't be signed, but
> 'us.fedoraproject.org' would be?  I *think* that's possible but I haven't
> gotten it to work.  If I can get that to work though I guess that makes
> sense because A) it'd work for now and B) I'm sure over time pdns's dnssec
> will continue to mature.

I meant more like fedoraproject.org would be signed
xxx.mirrors.fedoraproject.org wouldn't be. But now I see that doens't
cover the items we have.





-- 
Stephen J Smoogen.

Ah, but a man's reach should exceed his grasp. Or what's a heaven for?
-- Robert Browning