2. Profile, Supported Algorithms, Record Types & Modes of operation

2.1. DNSSEC: live-signed vs orthodox 'pre-signed' mode

PowerDNSSEC aims to serve unexciting, standards compliant, DNSSEC information. One goal is to have relevant parts of our output be identical or equivalent to important fellow-traveller software like NLNetLabs' NSD.

Particularly, if a PowerDNSSEC secured zone is transferred via AXFR, it should be able to contain the same records as when that zone was signed using 'ldns-signzone' using the same keys and settings.

PowerDNS supports serving pre-signed zones, as well as online ('live') signed operations. In the last case, Signature Rollover and Key Maintenance are fully managed by PowerDNS.

In addition to the above, PowerDNSSEC also supports modes of operation which may not have an equivalent in other pieces of software, for example NSEC3-narrow mode.

PowerDNSSEC supports:

This corresponds to:

2.1. DNSSEC: live-signed vs orthodox 'pre-signed' mode

Traditionally, DNSSEC signatures have been added to unsigned zones, and then this signed zone could be served by any DNSSEC capable authoritative server. PowerDNS supports this mode fully.

In addition, PowerDNS supports taking care of the signing itself, in which case PowerDNS operates differently from most tutorials and handbooks. This mode is easier however.

For relevant tradeoffs, please see Section 9, “Security” and Section 10, “Performance”.