PowerDNS Recursor version 4 supports DNSSEC validation

23 September 2016

With the launch of version 4, the PowerDNS Recursor now also supports DNSSEC validation. The new feature is currently still experimental, but the developers say it works well. "The underlying design philosophy is that legitimate look-ups shouldn't be refused, since that results in sites and services being unavailable to end users."

Validation by the Recursor has been on the agenda for some time, but has had to wait for refinement of the DNSSEC implementation on the PowerDNS authoritative server. Protection against DDoS/amplification attacks has also been a high priority in recent years, leading to development of the dnsdist load balancer, for example.

Because the Netherlands leads the way on the signing of its domain names, but lags behind in terms of validation by internet access providers, SIDN has provided financial support for the implementation of validation on the Recursor. For the same reason, the registry is also working on its own (validating) DNS service, along the lines of Google Public DNS and OpenDNS (now under the Cisco umbrella).


The PowerDNS Recursor is used in the Netherlands by a handful of large ISPs. So, for example, XS4All — which recently switched from BIND named to the PowerDNS server for their authoritative DNS service — is experimenting with the validating PowerDNS Recursor. That is in addition to using Unbound for validation on some of their existing resolvers. Outside the Netherlands, the PowerDNS Recursor is being used by a major telecom service provider in a neighbouring country and by a pan-European cable service provider.

PowerDNS versus Unbound and BIND named

Compared with Unbound and BIND named, the main thing that distinguishes the PowerDNS Recursor is that its developers have taken a very pragmatic approach. "The underlying design philosophy is that legitimate look-ups shouldn't be refused, since that results in sites and services being unavailable to end users", says Senior Engineer Peter van Dijk. "We see avoiding issues as the priority, even if that means that the occasional query gets through despite the DNSSEC chain not being entirely in order."

Such thinking has led the PowerDNS team to different design decisions from those made by the developers of Unbound and BIND. A more academic approach was chosen for Unbound and BIND, following the RFCs as closely as possible. However, all three software packages provide very effective tools. The user can therefore choose the solution that suits them best.

Negative Trust Anchors

In the light of experience, a certain pragmatism has been forced upon Unbound as well. For example, records whose signatures have expired can now be forwarded, as long as the signatures have not exceeded their lifetimes by more than 10 per cent (see the 'val-sig-skew-min' and 'val-sig-skew-max' options).

The PowerDNS Recursor now supports the whitelisting of problematic/bogus addresses — in DNSSEC terms, the addition of Negative Trust Anchors (NTAs, as defined in RFC 7646) — both permanently in the configuration file and temporarily in run-time. The latter option means that, for example, an end user who calls about an unreachable site can be given immediate assistance. A few years ago, when there were far more DNSSEC configuration errors in the .nl zone than now, the cost of handling complaint calls prompted T-Mobile to disable validation for mobile users, after previously supporting it.

RPZ, Lua and Curve25519

Another new feature in version 4 of the PowerDNS Recursor is support for RPZ (Response Policy Zone). The mechanism resembles the DNSBL/RBL protocol, which is used to query Spamhaus Project blacklists, for example. However, whereas DNSBL/RBL returns only a 'yes' or a 'no', RPZ responses can include more detailed information about reputation and policies. Both mechanisms are based on the DNS infrastructure.

In addition, the Recursor's Lua scripting facility now utilises LuaWrapper.

Finally, the makers of PowerDNS hope to enable support for the elliptic curve crypto-algorithm Curve25519 in a future version. That protocol is the basis for DNSCurve, an alternative to DNSSEC devised by Daniel J. Bernstein, which didn't take off. Curve25519 cryptography is currently being standardised by the IETF for use in DNSSEC. Once standardisation is complete, Curve25519 can be added to IANA's DNSSEC algorithm list.

Traditional Dutch product

"We've built up considerable DNS expertise in the Netherlands", says Marco Davids, Research Engineer at SIDN, and we can be proud of that. PowerDNS is a traditional Dutch product that's achieved global prominence purely on the basis of quality: their authoritative name server is a byword. With new developments, such as dnsdist and the new (DNSSEC) features in the Recursor, they are reinforcing their position. We're very happy with the good relations and the popularity of PowerDNS amongst registrars and DNS operators. A lot of them are major, global players. "


  • Tuesday 16 July 2019

    Internet security

    Travel organisations are the summer's preferred phishing target

    Phishing 520x520

    The holiday season has started

    Read more
  • Monday 19 March 2018

    About SIDN

    It's thanks to standards that the internet works


    A magazine packed with interviews and case studies on the use of open standards

    Read more
  • Thursday 14 March 2019

    .nl domain name

    SIDN analyses Belsimpel.nl


    Van een startkapitaal van € 2.000,- naar een omzet van € 200 miljoen

    Read more


Your browser is too old to optimally experience this website. Upgrade your browser to improve your experience.