<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Dear all,<div><br></div><div>I have deployed DNSSEC yesterday for my domains.</div><div>First, my situation:</div><div>I have a Windows Server 2008 primary name server and a PowerDNS 3.1 slave server. This slave runs on Ubuntu 12.04 and I have compiled it from source myself. I use the gmysql backend btw.</div><div><br></div><div>Now there seems to be something strange going on:</div><div>I have a domain, <a href="http://tandemse.nl">tandemse.nl</a>, for which DNSSEC is being used. I have an A-record for *.<a href="http://tandemse.nl">tandemse.nl</a>.</div><div><br></div><div>If I ask the Windows server for an A-record for <a href="http://randomsubdomain.tandemse.nl">randomsubdomain.tandemse.nl</a> I get this response (sorry for a lot of copy-paste, I truncated useless stuff):</div><div><br></div><div>--------------</div><div><div>$ dig <a href="http://randomsubdomain.tandemse.nl">randomsubdomain.tandemse.nl</a> in A @<a href="http://ns1.tandemse.nl">ns1.tandemse.nl</a> +dnssec</div><div><br></div><div>[…]</div><div>;; ANSWER SECTION:</div><div><a href="http://randomsubdomain.tandemse.nl">randomsubdomain.tandemse.nl</a>. 3600 IN<span class="Apple-tab-span" style="white-space:pre"> </span>A<span class="Apple-tab-span" style="white-space:pre"> </span>80.113.202.87</div><div><a href="http://randomsubdomain.tandemse.nl">randomsubdomain.tandemse.nl</a>. 3600 IN<span class="Apple-tab-span" style="white-space:pre"> </span>RRSIG<span class="Apple-tab-span" style="white-space:pre"> </span>A 5 2 3600 20120904082043 20120805082043 18273 <a href="http://tandemse.nl">tandemse.nl</a>. BIev96aAl3DfATr+sepXXdf54ohBzV2EBViGl/iwXDY/upPBBsSVgwh5 gOwgRl7U/lyb176N4koav0Ay5JJhhFFllk7kmkfnlLGfQ3g0JwpRXkKG BMaaUZRJdzrQs5TYoLgrLvnJnkGcXnGD926q+jb2pOAKcJMvcaJczUcP BFfhDKhyOrvUar/PARsCBlL4H3nWz3pmdXEW/m49/aJ0TMTq1bxgbSvR sSfpyTyERQI1mYRpiwU7soDsodVGFDMLKcwIqi07fV1I9TwYrYKgKUkp TuHThZd/46HygCwrZIHNyRQRIldn/5gqBKtxlSc6rkUNlVJnNc+qrpFy Otgskg==</div><div><br></div><div>;; AUTHORITY SECTION:</div><div><a href="http://rails-server.tandemse.nl">rails-server.tandemse.nl</a>. 3600<span class="Apple-tab-span" style="white-space:pre"> </span>IN<span class="Apple-tab-span" style="white-space:pre"> </span>NSEC<span class="Apple-tab-span" style="white-space:pre"> </span><a href="http://tandemse.nl">tandemse.nl</a>. A AAAA RRSIG NSEC</div><div><a href="http://rails-server.tandemse.nl">rails-server.tandemse.nl</a>. 3600<span class="Apple-tab-span" style="white-space:pre"> </span>IN<span class="Apple-tab-span" style="white-space:pre"> </span>RRSIG<span class="Apple-tab-span" style="white-space:pre"> </span>NSEC 5 3 3600 20120904082043 20120805082043 18273 <a href="http://tandemse.nl">tandemse.nl</a>. lgKh6d6DEUsuq2IEBSxqwwYRXV3uCkRdnNavCyr2mLkI19skLNEBIkRH n3GGGRjD8jUFF4LT/dKl8deZhMsNoXgC3Xzr5XGumuy9GHn8ZgS/Gx9T a4444GrBtSZJq+RZ2l2AQ4aCd5I0FBHt4i9du50XNRygWOYGsVdIdE+G qSBhltKU2NOm4IfnkGIYSgbMcQJMr2oNZXG/O0wo937D9XEbMoxOMnUj PYdW6/0m/PdbHGPVzg5+GlncDpK+IwGSm39WG4M4ModKJWr0y+3i8cAB CIIzdX7zSsbzZOddySeHMfGH2EKNFrpDURWH/ls1rmjnqhrVa4udFKhh +Bx6CA==</div><div>[…]</div></div><div>--------------</div><div><br></div><div>However, when I ask my slave PowerDNS server, I get the following response;</div><div><br></div><div>--------------</div><div><div>$ dig <a href="http://randomsubdomain.tandemse.nl">randomsubdomain.tandemse.nl</a> in A @<a href="http://ns2.tandemse.nl">ns2.tandemse.nl</a> +dnssec</div><div>[…]</div><div>;; ANSWER SECTION:</div><div><a href="http://randomsubdomain.tandemse.nl">randomsubdomain.tandemse.nl</a>. 3600 IN<span class="Apple-tab-span" style="white-space:pre"> </span>A<span class="Apple-tab-span" style="white-space:pre"> </span>80.113.202.87</div><div><br></div><div>;; AUTHORITY SECTION:</div><div><a href="http://rails-server.tandemse.nl">rails-server.tandemse.nl</a>. 3600<span class="Apple-tab-span" style="white-space:pre"> </span>IN<span class="Apple-tab-span" style="white-space:pre"> </span>NSEC<span class="Apple-tab-span" style="white-space:pre"> </span>_autodiscover._<a href="http://tcp.tandemse.nl">tcp.tandemse.nl</a>. A AAAA RRSIG NSEC</div><div><a href="http://rails-server.tandemse.nl">rails-server.tandemse.nl</a>. 3600<span class="Apple-tab-span" style="white-space:pre"> </span>IN<span class="Apple-tab-span" style="white-space:pre"> </span>RRSIG<span class="Apple-tab-span" style="white-space:pre"> </span>NSEC 5 3 3600 20120904082043 20120805082043 18273 <a href="http://tandemse.nl">tandemse.nl</a>. lgKh6d6DEUsuq2IEBSxqwwYRXV3uCkRdnNavCyr2mLkI19skLNEBIkRH n3GGGRjD8jUFF4LT/dKl8deZhMsNoXgC3Xzr5XGumuy9GHn8ZgS/Gx9T a4444GrBtSZJq+RZ2l2AQ4aCd5I0FBHt4i9du50XNRygWOYGsVdIdE+G qSBhltKU2NOm4IfnkGIYSgbMcQJMr2oNZXG/O0wo937D9XEbMoxOMnUj PYdW6/0m/PdbHGPVzg5+GlncDpK+IwGSm39WG4M4ModKJWr0y+3i8cAB CIIzdX7zSsbzZOddySeHMfGH2EKNFrpDURWH/ls1rmjnqhrVa4udFKhh +Bx6CA==</div><div>[…]</div></div><div>--------------</div><div><br></div><div>As can be seen, the RRSIG for the A-record is missing (and the NSEC is different, which should also not be the case right?).</div><div>Now my question is: is the Windows Server doing this wrong or is it the PowerDNS slave? Because the A-record is for "*" and not for "randomsubdomain".<br><div>
<div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><br class="Apple-interchange-newline">Regards,</div><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><br></div><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; ">Nicky Gerritsen</div>
</div>
<br></div><div>p.s. yes I know I should better use NSEC3; however apparently Windows Server does not support this :(</div></body></html>