<?xml version="1.0" encoding="UTF-8" standalone="no"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>2. Profile, Supported Algorithms, Record Types & Modes of operation</title><link rel="stylesheet" href="docbook.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /><link rel="home" href="index.html" title="PowerDNS manual" /><link rel="up" href="powerdnssec-auth.html" title="Chapter 12. Serving authoritative DNSSEC data" /><link rel="prev" href="powerdnssec-auth.html" title="Chapter 12. Serving authoritative DNSSEC data" /><link rel="next" href="dnssec-migration.html" title="3. Migration" /></head><body><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">2. Profile, Supported Algorithms, Record Types & Modes of operation</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="powerdnssec-auth.html">Prev</a> </td><th width="60%" align="center">Chapter 12. Serving authoritative DNSSEC data</th><td width="20%" align="right"> <a accesskey="n" href="dnssec-migration.html">Next</a></td></tr></table><hr /></div><div class="section" title="2. Profile, Supported Algorithms, Record Types & Modes of operation"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="dnssec-supported"></a>2. Profile, Supported Algorithms, Record Types & Modes of operation</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="dnssec-supported.html#dnssec-presigned-mode">2.1. DNSSEC: live-signed vs orthodox 'pre-signed' mode</a></span></dt></dl></div><p> PowerDNSSEC aims to serve unexciting, standards compliant, DNSSEC information. One goal is to have relevant parts of our output be identical or equivalent to important fellow-traveller software like NLNetLabs' NSD. </p><p> Particularly, if a PowerDNSSEC secured zone is transferred via AXFR, it should be able to contain the same records as when that zone was signed using 'ldns-signzone' using the same keys and settings. </p><p> PowerDNS supports serving pre-signed zones, as well as online ('live') signed operations. In the last case, Signature Rollover and Key Maintenance are fully managed by PowerDNS. </p><p> In addition to the above, PowerDNSSEC also supports modes of operation which may not have an equivalent in other pieces of software, for example NSEC3-narrow mode. </p><p> PowerDNSSEC supports: </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> NSEC</p></li><li class="listitem"><p> NSEC3</p></li><li class="listitem"><p> NSEC3-narrow</p></li><li class="listitem"><p> DS (digest type 1, 2, 3 and provisional point 4)</p></li><li class="listitem"><p> RSASHA1 (algorithm 5, algorithm 7)</p></li><li class="listitem"><p> RSASHA256 (algorithm 8)</p></li><li class="listitem"><p> RSASHA512 (algorithm 10)</p></li><li class="listitem"><p> ECC-GOST (algorithm 12)</p></li><li class="listitem"><p> ECDSA (no codepoints assigned, provisional 13 and 14)</p></li></ul></div><p> </p><p> This corresponds to: </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> RFC 4033: DNS Security Introduction and Requirements</p></li><li class="listitem"><p> RFC 4034: Resource Records for the DNS Security Extensions, Protocol Modifications for the DNS Security Extensions</p></li><li class="listitem"><p> RFC 4035: Protocol Modifications for the DNS Security Extensions</p></li><li class="listitem"><p> RFC 4509: Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource Records (RRs)</p></li><li class="listitem"><p> RFC 5155: DNS Security (DNSSEC) Hashed Authenticated Denial of Existence</p></li><li class="listitem"><p> RFC 5702: Use of SHA-2 Algorithms with RSA in DNSKEY and RRSIG Resource Records for DNSSEC </p></li><li class="listitem"><p> RFC 5933: Use of GOST Signature Algorithms in DNSKEY and RRSIG Resource Records for DNSSEC </p></li><li class="listitem"><p> draft-ietf-dnsext-ecdsa: Elliptic Curve DSA for DNSSEC </p></li></ul></div><p> </p><div class="section" title="2.1. DNSSEC: live-signed vs orthodox 'pre-signed' mode"><div class="titlepage"><div><div><h3 class="title"><a id="dnssec-presigned-mode"></a>2.1. DNSSEC: live-signed vs orthodox 'pre-signed' mode</h3></div></div></div><p> Traditionally, DNSSEC signatures have been added to unsigned zones, and then this signed zone could be served by any DNSSEC capable authoritative server. PowerDNS supports this mode fully. </p><p> In addition, PowerDNS supports taking care of the signing itself, in which case PowerDNS operates differently from most tutorials and handbooks. This mode is easier however. </p><p> For relevant tradeoffs, please see <a class="xref" href="dnssec-security.html" title="9. Security">Section 9, “Security”</a> and <a class="xref" href="dnssec-performance.html" title="10. Performance">Section 10, “Performance”</a>. </p></div></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="powerdnssec-auth.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="powerdnssec-auth.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="dnssec-migration.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 12. Serving authoritative DNSSEC data </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> 3. Migration</td></tr></table></div></body></html>