<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Jan 9, 2016, at 3:28 PM, Pieter Lexis <<a href="mailto:pieter.lexis@powerdns.com" class="">pieter.lexis@powerdns.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">Hi Nick,<br class=""><br class="">On Sat, 9 Jan 2016 14:48:12 -0600<br class="">Nicholas Williams <<a href="mailto:nicholas@nicholaswilliams.net" class="">nicholas@nicholaswilliams.net</a>> wrote:<br class=""><br class=""><blockquote type="cite" class="">But the documentation says the opposite. It says NOT to create<br class="">NSEC(3) records (in fact, zone2sql intentionally ignores them, even<br class="">for presigned zones), because (again, it says) PowerDNS generates<br class="">then automatically, even for presigned zones. It also says that<br class="">manually inserting NSEC3 records could cause errors. So the<br class="">documentation makes clear that, on presigned zones, it is still the<br class="">authority. Indeed, PowerDNS IS generating the NSEC3 records (as I<br class="">showed), just not signing them.<br class=""></blockquote><br class="">This is indeed the way this works. As the NXDOMAIN generation code<br class="">works as it should, the design choice was made to 'just' generate NSECs<br class="">on the fly. The signatures still have to be provided in the presigned<br class="">zone.<br class=""><br class=""><blockquote type="cite" class="">How could I possibly presign records that PowerDNS generates? I<br class="">can't. So why does PowerDNS prohibit me creating NSEC3 records,<br class="">generate them for me, but not sign them?<br class=""></blockquote><br class="">This is because pre-signed zones (from e.g. opendnssec, ldns-signzone<br class="">or slaved from a master) contain the RRSIGs to the negative answers.<br class=""><br class=""><blockquote type="cite" class="">That is, at best, poor design. But I'm confident it's a bug or I've<br class="">configured something incorrectly. <br class=""></blockquote><br class="">I agree this is and 'interesting' design choice made back in the day.<br class="">In normal operation (using other tools to generate DNSSEC records or<br class="">slaving the zone) this will never come up.<br class=""><br class="">I agree that the docs are not very verbose on how presigned zone work,<br class="">we'll fix this in the coming weeks.</div></blockquote><br class=""></div><div>So I need to create signatures for the NSEC3 records, and insert those signatures, but not the NSEC3 records? Fascinating. Let me try this out…</div><div><br class=""></div><div>I started from scratch to ensure I didn’t mess something else up…</div><div><br class=""></div><div>I copied ALL of the RRSIGs this time, including the ones for the NSEC3 records, but I did not copy the NSEC3 records…</div><div><br class=""></div><div>And it works! Everything passes the verification checks and I can resolve both A records through my verifying recursors.</div><div><br class=""></div><div>$ host <a href="http://good.e7d8ca.test.my-zone.com" class="">good.e7d8ca.test.my-zone.com</a><br class=""><a href="http://good.e7d8ca.test.dnscrawler.com" class="">good.e7d8ca.test.dnscrawler.com</a> has address x.x.x.x</div><div><br class="">$ host <a href="http://bad.e7d8ca.test.my-zone.com" class="">bad.e7d8ca.test.my-zone.com</a></div><div><a href="http://bad.e7d8ca.test.dnscrawler.com" class="">bad.e7d8ca.test.dnscrawler.com</a> has address x.x.x.x</div><div><br class=""></div><div>Now, to munge the signature for <a href="http://bad.e7d8ca.test.my-zone.com" class="">bad.e7d8ca.test.my-zone.com</a>…</div><div><br class=""></div><div>And it works! From my verifying recursors:</div><div><br class=""></div><div>$ host <a href="http://good.e7d8ca.test.my-zone.com" class="">good.e7d8ca.test.my-zone.com</a><br class=""><a href="http://good.e7d8ca.test.dnscrawler.com" class="">good.e7d8ca.test.dnscrawler.com</a> has address x.x.x.x</div><div><br class="">$ host <a href="http://bad.e7d8ca.test.my-zone.com" class="">bad.e7d8ca.test.my-zone.com</a><br class="">Host <a href="http://bad.e7d8ca.test.dnscrawler.com" class="">bad.e7d8ca.test.dnscrawler.com</a> not found: 3(NXDOMAIN)</div><div><br class=""></div><div>From non-verifying recursors:</div><div><br class=""></div><div>$ host <a href="http://good.e7d8ca.test.my-zone.com" class="">good.e7d8ca.test.my-zone.com</a> 4.2.2.2<br class="">Using domain server:<br class="">Name: 4.2.2.2<br class="">Address: 4.2.2.2#53<br class="">Aliases: <br class=""><a href="http://good.e7d8ca.test.my-zone.com" class="">good.e7d8ca.test.my-zone.com</a> has address x.x.x.x</div><div><br class="">$ host <a href="http://bad.e7d8ca.test.my-zone.com" class="">bad.e7d8ca.test.my-zone.com</a> 4.2.2.2<br class="">Using domain server:<br class="">Name: 4.2.2.2<br class="">Address: 4.2.2.2#53<br class="">Aliases: <br class=""><a href="http://bad.e7d8ca.test.my-zone.com" class="">bad.e7d8ca.test.my-zone.com</a> has address x.x.x.x</div><div><br class=""></div><div>Thanks for all your help. I still maintain that requiring presigners to provide RRSIG NSEC3 records but NOT provide the NSEC3 records is a bad idea. At the very least, as you said, the documentation needs significant enhancement. But I did get it to work, finally.</div><div><br class=""></div><div>Thanks again,</div><div><br class=""></div><div>Nick</div></body></html>