Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

DNSSEC specific record types

See original GitHub issue

Great project!

The specific use case I’m looking at now is managing zones via DNSimple. All of our domains are DNSSEC, so we have DNSKEY records. (AttributeError: 'DnsimpleProvider' object has no attribute '_data_for_DNSKEY') Normally this would be a straight multiple record type to implement. The concern that comes up on writing the PR for the record type is that this is not always something generated by the clients, and DNSimple rotates the records themselves on schedule. The APIv2 documentation shows that the record can be put by the client in addition to DNSimple’s record generation. Tends to break any kind of idempotent scheme. That requires an update at the domain Registrar. I’m sure someone has come up against this previously, but I didn’t see an issue referencing DNSSEC in my search.

Issue Analytics

State:
Created 6 years ago
Comments:8 (3 by maintainers)

Top GitHub Comments

2reactions

rosscommented, Jan 22, 2018

Hi @dschaper not sure how common DNSSEC use is for people looking at octoDNS, but it’s not a case that has specifically been explored. Based on your description the best option may be for octoDNS to ignore DNSKEY records in cases where the provider is managing things.

For DnsimpleProvider that’d probably be as easy as changing the if _type == 'SOA': line to if _type not in self.SUPPORTS, which is a bit more robust way to go about skipping unsupported records.

It’s likely that a full pass of DNSSEC support would be nice to do at some point, but looking around DNS provider support for it is still pretty lacking so that point may not be yet, at least I probably won’t have the time to dig into it soon 😁

0reactions

rosscommented, Jun 5, 2022

Did a bit more digging a while back and I’m going to call this one not feasible. As far as I could find there are no commercial providers that let you provide the signing info and thus there’s no real way to have multiple providers signing identically. It did not appear to be possible to provide both providers signing info so that either’s signing would be allowed, though it’s possible I missed something there.

Top Results From Across the Web

How DNSSEC Works | Cloudflare

DNSSEC creates a secure domain name system by adding cryptographic signatures to existing DNS records. These digital signatures are stored in DNS name...

DNS Record Types: Defined and Explained - Site24x7

DNS record types are records that provide important information about a hostname or domain. These records include the current IP address for a...

List of DNS record types - Wikipedia

This list of DNS record types is an overview of resource records (RRs) permissible in zone files of the Domain Name System (DNS)....

DNS Record Types Cheat Sheet - Constellix

DNS Record Types · A Record (address)‍ · AAAA Record (quad A) · CNAME Record (Canonical Name) · ANAME Record · SOA Record...

Akamai Blog | What Is DNSSEC, and How Does It Work?

Resource record signature (RRSIG): contains a cryptographic DNSSEC signature for a record set · DNSKEY: contains a public signing key · DS: ...