PowerDNSSEC aims to serve unexciting, standards compliant, DNSSEC information. One goal is to have relevant parts of our output be identical or equivalent to important fellow-traveller software like NLNetLabs' NSD.
Particularly, if a PowerDNSSEC secured zone is transferred via AXFR, it should be able to contain the same records as when that zone was signed using 'ldns-signzone' using the same keys and settings.
PowerDNS supports serving pre-signed zones, as well as online ('live') signed operations. In the last case, Signature Rollover and Key Maintenance are fully managed by PowerDNS.
In addition to the above, PowerDNSSEC also supports modes of operation which may not have an equivalent in other pieces of software, for example NSEC3-narrow mode.
PowerDNSSEC supports:
NSEC
NSEC3
NSEC3-narrow
DS (digest type 1, 2, 3 and provisional point 4)
RSASHA1 (algorithm 5, algorithm 7)
RSASHA256 (algorithm 8)
RSASHA512 (algorithm 10)
ECC-GOST (algorithm 12)
ECDSA (no codepoints assigned, provisional 13 and 14)
This corresponds to:
RFC 4033: DNS Security Introduction and Requirements
RFC 4034: Resource Records for the DNS Security Extensions, Protocol Modifications for the DNS Security Extensions
RFC 4035: Protocol Modifications for the DNS Security Extensions
RFC 4509: Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource Records (RRs)
RFC 5155: DNS Security (DNSSEC) Hashed Authenticated Denial of Existence
RFC 5702: Use of SHA-2 Algorithms with RSA in DNSKEY and RRSIG Resource Records for DNSSEC
RFC 5933: Use of GOST Signature Algorithms in DNSKEY and RRSIG Resource Records for DNSSEC
draft-ietf-dnsext-ecdsa: Elliptic Curve DSA for DNSSEC
Traditionally, DNSSEC signatures have been added to unsigned zones, and then this signed zone could be served by any DNSSEC capable authoritative server. PowerDNS supports this mode fully.
In addition, PowerDNS supports taking care of the signing itself, in which case PowerDNS operates differently from most tutorials and handbooks. This mode is easier however.
For relevant tradeoffs, please see Section 9, “Security” and Section 10, “Performance”.