PowerDNS Backends: DNSSEC

In order to support DNSSEC, a backend needs to implement the following method:

bool getBeforeAndAfterNames(uint32_t id, const std::string& qname, std::string& before, std::string& after)

This should return the dns records immediately before and after the qname specified. This qname might not exist in your database since this method is used to generate NSEC responses, which indicate the non-existence of record(types).

A backend can answer 'false' to state it does not support DNSSEC.

The names 'before' and 'after' refer to DNSSEC canonical ordering, which is in reverse lexicographical label order. So 'wwwwwww.powerdnssec.org' and 'www.powerdnssec.org' are compared as {"org", "powerdnssec", "wwwwww"} > {"org", "powerdnssec", "www"}. A simple way to achieve this for most records is to store record names reversed, with dots replaced by spaces, so "org powerdnssec wwwwwww" > "org powerdnssec www".

The 'auth' field

DNSSEC needs to know which data is auth and which is actually data from a child zone. All NS records except those at the apex ('SOA level') are unauth, and so is all glue. For the rest, return 'auth=1'.

Generic SQL backends

These gain an 'auth' field plus an 'ordername' field. The ordername should contain the *relative* part of the record name in reverse canonical order as described above. So if you have a SOA record with the name 'powerdnssec.org', as ordername it has the empty string. Within that zone, the record 'images.cloud.powerdnssec.org' would have 'cloud images' as ordername. NOTE: The above is NOT in sync with the current situation in Subversion yet!