DNSSEC is a major change in the way DNS works. Furthermore, there is a bewildering array of settings that can be configured.
It is well possible to configure DNSSEC in such a way that your domain will not operate reliably, or even, at all.
We advise operators to stick to the keying defaults of 'pdnssec secure-zone': RSASHA256 (algorithm 8), 1 Key Signing Key of 2048 bits, 1 active Zone Signing Key of 1024 bits, 1 passive Zone Signing Key of 1024 bits.
While the 'GOST' and 'ECDSA' algorithms are better choices in theory, not many DNSSEC resolvers can validate answers signed with such keys. Much the same goes for RSASHA512, except that it does not offer better performance either.
![]() | Note |
---|---|
GOST may be more widely available in Russia, because it might be mandatory to implement this regional standard there. |
It is possible to operate a zone with different keying algorithms simultaneously, but it has also been observed that this is not reliable.
Depending on your master/slave setup, you may need to tinker with SOA-EDIT on your master.
DNSSEC answers contain (bulky) keying material and signatures, and are therefore a lot larger than regular DNS answers. Normal DNS responses almost always fit in the 'magical' 512 byte limit previously imposed on DNS.
In order to support DNSSEC, operators must make sure that their network allows for:
>512 byte UDP packets on port 53
Fragmented UDP packets
ICMP packets related to fragmentation
TCP queries on port 53
EDNS0 queries/responses (filtered by some firewalls)
If any of the conditions outlined above is not met, DNSSEC service will suffer or be completely unavailable.
In addition, the larger your DNS answers, the more critical the above becomes. It is therefore advised not to provision too many keys, or keys that are unnecessarily large.