PowerDNS Backends: DNSSEC

In order to support DNSSEC, a backend needs to implement the following method:

bool getBeforeAndAfterNames(uint32_t id, const std::string& qname, std::string& before, std::string& after)

This should return the dns records immediately before and after the qname specified. This qname might not exist in your database since this method is used to generate NSEC responses, which indicate the non-existence of record(types).

A backend can answer 'false' to state it does not support DNSSEC.

The names 'before' and 'after' refer to DNSSEC canonical ordering, which is in reverse lexicographical label order. So 'wwwwwww.powerdnssec.org' and 'www.powerdnssec.org' are compared as {"org", "powerdnssec", "wwwwww"} > {"org", "powerdnssec", "www"}. A simple way to achieve this for most records is to store record names reversed, with dots replaced by spaces, so "org powerdnssec wwwwwww" > "org powerdnssec www".

The 'auth' field

DNSSEC needs to know which data is auth and which is actually data from a child zone. All NS records except those at the apex ('SOA level') are unauth, and so is all glue. For the rest, return 'auth=1'.