<div dir="ltr">Yea, but that's the rub. I want to do this WITHOUT 'presigned zones.' I want everything else to be live-signed (because it's SO much easier than presigning), and only munge this one subdomain's RRSIGs.<div><br></div><div>I'm looking into using a postresolve Lua script for this, as Aki suggested, because it sounds like that's likely the only way to do what I want. I found this sample, which is pretty helpful:</div><div><br></div><div><a href="https://wiki.powerdns.com/trac/browser/trunk/pdns/pdns/powerdns-example-script.lua">https://wiki.powerdns.com/trac/browser/trunk/pdns/pdns/powerdns-example-script.lua</a><br></div><div><br></div><div>But I'm trying to find actual documentation about where to put the script, what the inputs and outputs to postresolve are, etc., and I can't find it with Google. I've only been able to find the Recursor scripting documentation, not the Authoritative documentation. Can someone point me to the Authoritative documentation on using scripting to alter responses?</div><div><br></div><div>Thanks,</div><div><br></div><div>Nick</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jan 6, 2016 at 1:12 PM, bert hubert <span dir="ltr"><<a href="mailto:bert.hubert@powerdns.com" target="_blank">bert.hubert@powerdns.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Wed, Jan 06, 2016 at 12:46:38PM -0600, Nicholas Williams wrote:<br>
> Out of curiosity, what DOES PowerDNS do if it finds an both an A and an<br>
> RRSIG record for <a href="http://a.b.c.com" rel="noreferrer" target="_blank">a.b.c.com</a> in the database?<br>
<br>
</span>Hi Nicholas,<br>
<br>
To answer both your messages in one go, if you run with 'presigned zones',<br>
PowerDNS will use the RRSIG from your database. So it will find the right<br>
RRSIG that goes with your A record.<br>
<br>
Secondly, if you use a pre-signed zone, you can also mess up your RRSIG by<br>
hand to generate a 'broken' zone.<br>
<span class="HOEnZb"><font color="#888888"><br>
Bert<br>
</font></span><div class="HOEnZb"><div class="h5"><br>
><br>
> Nick<br>
><br>
> On Wed, Jan 6, 2016 at 12:33 PM, Aki Tuomi <<a href="mailto:cmouse@cmouse.fi">cmouse@cmouse.fi</a>> wrote:<br>
><br>
> > The code does not support this but you might be able to use postresolve<br>
> > Lua hook to break the reply signature.<br>
> ><br>
> > ---<br>
> > Aki Tuomi<br>
> > -------- Alkuperäinen viesti --------<br>
> > Lähettäjä: Nick Williams <<a href="mailto:nicholas@nicholaswilliams.net">nicholas@nicholaswilliams.net</a>><br>
> > Päivämäärä: 6.1.2016 19.54 (GMT+02:00)<br>
> > Saaja: pdns-users Users <<a href="mailto:pdns-users@mailman.powerdns.com">pdns-users@mailman.powerdns.com</a>><br>
> > Aihe: [Pdns-users] Setting up intentionally invalid DNSSEC record in<br>
> > auto-secure environment<br>
> ><br>
> > Hi all,<br>
> ><br>
> > We're running a PowerDNS 3.4.6 installation with the MySQL backend, and<br>
> > we’re using pdnsutil secure-zone/set-nsec3/rectify-zone to automatically<br>
> > secure all of our domains (the least-effort method, instead of manually<br>
> > signing everything). It works great. Thanks for the excellent software!<br>
> ><br>
> > To support an internal testing tool, I would like to set up a few DNS<br>
> > records on a subdomain of one of our signed domains, and have those DNS<br>
> > records //intentionally invalidly signed// so that verifying resolvers will<br>
> > flag them and not return them. What is the best way to do this? Can I<br>
> > simply manually enter an invalid RRSIG record for each record, and that<br>
> > manual record will take precedence over any automatic signing that PowerDNS<br>
> > preforms? Or do I need to take some other step (perhaps it requires a<br>
> > separate domain)? Or is what I want to do impossible with PowerDNS<br>
> > automatic signing enabled?<br>
> ><br>
> > Thanks!<br>
> ><br>
> > Nick Williams<br>
> > _______________________________________________<br>
> > Pdns-users mailing list<br>
> > <a href="mailto:Pdns-users@mailman.powerdns.com">Pdns-users@mailman.powerdns.com</a><br>
> > <a href="http://mailman.powerdns.com/mailman/listinfo/pdns-users" rel="noreferrer" target="_blank">http://mailman.powerdns.com/mailman/listinfo/pdns-users</a><br>
> ><br>
<br>
> _______________________________________________<br>
> Pdns-users mailing list<br>
> <a href="mailto:Pdns-users@mailman.powerdns.com">Pdns-users@mailman.powerdns.com</a><br>
> <a href="http://mailman.powerdns.com/mailman/listinfo/pdns-users" rel="noreferrer" target="_blank">http://mailman.powerdns.com/mailman/listinfo/pdns-users</a><br>
<br>
</div></div></blockquote></div><br></div>