<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">So, I think I’ve almost got this, but I’m having a problem with the pre-signed zone’s NSEC3 RRSIGs. Here’s what I did:<div class=""><br class=""></div><div class="">I already have a live-signed zone (<a href="http://my-zone.com" class="">my-zone.com</a>) that works perfectly. A-records come with automatic RRSIGs, SOA record comes with an RRSIG, NS records come with an RRSIG, etc. I added a presigned delegated subzone by:</div><div class=""><br class=""></div><div class="">1. Creating a new domain <a href="http://d7e8ac.test-records.my-zone.com" class="">d7e8ac.test-records.my-zone.com</a>.</div><div class="">2. Running `pdnssec secure-zone <a href="http://d7e8ac.test-records.my-zone.com" class="">d7e8ac.test-records.my-zone.com</a>` and `pdnssec set-nsec3 <a href="http://d7e8ac.test-records.my-zone.com" class="">d7e8ac.test-records.my-zone.com</a> 1 0 3 B45550` so that the keys and NSEC3 params are automatically created for me by PowerDNS.</div><div class="">3. Creating the SOA, NS, and A (namely, <a href="http://good.d7e8ac.test-records.my-zone.com" class="">good.d7e8ac.test-records.my-zone.com</a> and <a href="http://bad.d7e8ac.test-records.my-zone.com" class="">bad.d7e8ac.test-records.my-zone.com</a>) records I want.</div><div class="">4. Running `pdnssec rectify-zone <a href="http://d7e8ac.test-records.my-zone.com" class="">d7e8ac.test-records.my-zone.com</a>`.</div><div class="">5. Copying down all of the RRSIG records that PowerDNS live-generates.</div><div class="">6. Running `pdnssec set-presigned <a href="http://d7e8ac.test-records.my-zone.com" class="">d7e8ac.test-records.my-zone.com</a>` to disable live-signing.</div><div class="">7. Inserting the RRSIG records that PowerDNS previously created into MySQL.</div><div class="">8. Creating the NS records in <a href="http://my-zone.com" class="">my-zone.com</a> for the <a href="http://d7e8ac.test-records.my-zone.com" class="">d7e8ac.test-records.my-zone.com</a> subzone pointing to the same servers.</div><div class="">9. Inserting the DS records in <a href="http://my-zone.com" class="">my-zone.com</a> for the <a href="http://d7e8ac.test-records.my-zone.com" class="">d7e8ac.test-records.my-zone.com</a> subzone using the DS records from `pdnssec show-zone`.</div><div class=""><br class=""></div><div class="">I have not yet munged the RRSIG for <a href="http://bad.d7e8ac.test-records.my-zone.com" class="">bad.d7e8ac.test-records.my-zone.com</a>, so it is still correctly signed. In other words, <a href="http://d7e8ac.test-records.my-zone.com" class="">d7e8ac.test-records.my-zone.com</a> should be just like any other pre-signed zone, except it’s a subzone.</div><div class=""><br class=""></div><div class="">So, I ran a thorough analysis of <a href="http://my-zone.com" class="">my-zone.com</a> using <a href="http://dnsviz.net" class="">http://dnsviz.net</a>, just to make sure it hadn’t been affected, and everything checked out perfectly. I can also query any and all records through my verifying recursors and they get returned. And, if I dig the non-existent <a href="http://dne.my-zone.com" class="">dne.my-zone.com</a>, I get back NXDOMAIN with NSEC3 and RRSIG records as show below. It’s all perfect:</div><div class=""><br class=""></div><div class=""><div class=""><a href="http://my-zone.com" class="">my-zone.com</a>.<span class="Apple-tab-span" style="white-space:pre"> </span>1800<span class="Apple-tab-span" style="white-space:pre"> </span>IN<span class="Apple-tab-span" style="white-space:pre"> </span>SOA<span class="Apple-tab-span" style="white-space:pre"> </span><a href="http://dns1.my-zone.com" class="">dns1.my-zone.com</a>. <a href="http://noc.my-zone.com" class="">noc.my-zone.com</a>. 2016010608 10800 3600 604800 1800</div><div class=""><a href="http://my-zone.com" class="">my-zone.com</a>.<span class="Apple-tab-span" style="white-space:pre"> </span>1800<span class="Apple-tab-span" style="white-space:pre"> </span>IN<span class="Apple-tab-span" style="white-space:pre"> </span>RRSIG<span class="Apple-tab-span" style="white-space:pre"> </span>SOA 8 2 86400 20160121000000 20151231000000 33379 <a href="http://my-zone.com" class="">my-zone.com</a>. I2AxpLVafoux...</div><div class=""><a href="http://8jioqnlor5460c8jk6s0uqnlqobfsad1.my-zone.com" class="">8jioqnlor5460c8jk6s0uqnlqobfsad1.my-zone.com</a>. 1800 IN NSEC3 1 0 3 D4AF00 9T62A084PPEDCI0UGGCE6O1CBS88UP2G A NS SOA MX TXT RRSIG DNSKEY NSEC3PARAM</div><div class=""><a href="http://8jioqnlor5460c8jk6s0uqnlqobfsad1.my-zone.com" class="">8jioqnlor5460c8jk6s0uqnlqobfsad1.my-zone.com</a>. 1800 IN RRSIG NSEC3 8 3 1800 20160121000000 20151231000000 33379 <a href="http://my-zone.com" class="">my-zone.com</a>. IOUTkKrHTp...</div><div class=""><a href="http://0dfe8me5brlq9g3ap8itfpiugjajs2is.my-zone.com" class="">0dfe8me5brlq9g3ap8itfpiugjajs2is.my-zone.com</a>. 1800 IN NSEC3 1 0 3 D4AF00 7RL9CKFSF6N7NQ3CJ78S9MVLPJB0T9G0 A RRSIG</div><div class=""><a href="http://0dfe8me5brlq9g3ap8itfpiugjajs2is.my-zone.com" class="">0dfe8me5brlq9g3ap8itfpiugjajs2is.my-zone.com</a>. 1800 IN RRSIG NSEC3 8 3 1800 20160121000000 20151231000000 33379 <a href="http://my-zone.com" class="">my-zone.com</a>. Hbr5ir8PlS+/...</div><div class=""><a href="http://hb7aqcuebqfhou10qfsgcbu83no1plbb.my-zone.com" class="">hb7aqcuebqfhou10qfsgcbu83no1plbb.my-zone.com</a>. 1800 IN NSEC3 1 0 3 D4AF00 O7EF2SKIOJJKFASIIMVQGHUO03I2BNP5</div><div class=""><a href="http://hb7aqcuebqfhou10qfsgcbu83no1plbb.my-zone.com" class="">hb7aqcuebqfhou10qfsgcbu83no1plbb.my-zone.com</a>. 1800 IN RRSIG NSEC3 8 3 1800 20160121000000 20151231000000 33379 <a href="http://my-zone.com" class="">my-zone.com</a>. EljCuzDzUA…</div></div><div class=""><br class=""></div><div class="">I then ran a thorough analysis of <a href="http://d7e8ac.test-records.my-zone.com" class="">d7e8ac.test-records.my-zone.com</a> using the same website and MOST things turned out perfectly. The NS, SOA, and A records all check out. However, I couldn’t query them through my verifying precursors—I get NXDOMAIN every time. (I could query through my verifying recursors before setting the zone to presigned.) That’s what led me to check the non-existent <a href="http://dne.d7e8ac.test-records.my-zone.com" class="">dne.d7e8ac.test-records.my-zone.com</a>. And that revealed the problem. The documentation says presigned zones should NOT include NSEC3 records or their RRSIGs, because PowerDNS still automatically generates NSEC3 records and their RRSIGs for presigned zones. But it’s not. It’s only returning the NSEC3 records, unsigned:</div><div class=""><br class=""></div><div class=""><div class=""><a href="http://d7e8ac.test-records.my-zone.com" class="">d7e8ac.test-records.my-zone.com</a>. 1800 IN SOA<span class="Apple-tab-span" style="white-space:pre"> </span><a href="http://dns1.my-zone.com" class="">dns1.my-zone.com</a>. <a href="http://noc.my-zone.com" class="">noc.my-zone.com</a>. 2016010701 10800 3600 604800 1800</div><div class=""><a href="http://d7e8ac.test-records.my-zone.com" class="">d7e8ac.test-records.my-zone.com</a>. 1800 IN RRSIG SOA 8 4 86400 20160121000000 20151231000000 34311 <a href="http://d7e8ac.test-records.my-zone.com" class="">d7e8ac.test-records.my-zone.com</a>. fJYArsO2S...</div><div class=""><a href="http://prhpl89qu0ncp23b3qhr10citsu7gs2n.d7e8ac.test-records.my-zone.com" class="">prhpl89qu0ncp23b3qhr10citsu7gs2n.d7e8ac.test-records.my-zone.com</a>. 1800 IN NSEC3 1 0 3 B45550 H09M6KE4HUPDK9Q1NMF53UTSDBFDIIIC NS SOA RRSIG DNSKEY NSEC3PARAM</div><div class=""><a href="http://h09m6ke4hupdk9q1nmf53utsdbfdiiic.d7e8ac.test-records.my-zone.com" class="">h09m6ke4hupdk9q1nmf53utsdbfdiiic.d7e8ac.test-records.my-zone.com</a>. 1800 IN NSEC3 1 0 3 B45550 OV9D2N9BPO4FQVELB9H5O3SGSN329H1U A RRSIG</div></div><div class=""><br class=""></div><div class="">I can’t think of anything I missed. And, clearly, PowerDNS is correctly generating NSEC3 records. But it’s not signing those records.</div><div class=""><br class=""></div><div class="">Any insights as to what might be wrong?</div><div class=""><br class=""></div><div class="">Thanks,</div><div class=""><br class=""></div><div class="">Nick</div><div class=""><br class=""><div class=""><div><blockquote type="cite" class=""><div class="">On Jan 6, 2016, at 2:38 PM, <a href="mailto:leen@consolejunkie.net" class="">leen@consolejunkie.net</a> wrote:</div><br class="Apple-interchange-newline"><div class="">On 2016-01-06 20:42, Nicholas Williams wrote:<br class=""><blockquote type="cite" class="">I'll look into that other script. Thanks, Bert.<br class=""><br class=""><blockquote type="cite" class=""> How about a creating a separate sub-zone with a broken presigned<br class=""></blockquote>DNSSEC<br class=""><br class=""><blockquote type="cite" class=""> You can set presigned for just that single zone using the<br class=""></blockquote>PRESIGNED domain metadata[1] int your database.<br class=""><br class="">I really like this idea in combination. That documentation that Pieter<br class="">sent me should help me get set up with presigning. But, Leen, how<br class="">would I set up a subzone delegated to the same authoritative server<br class="">(or can I, even?)? Can you point me to that documentation?<br class=""><br class=""></blockquote><br class="">It's just a domain & delegation like any other (this is the same thing the TLD does for you):<br class=""><br class="">Just have both a autosigned-domain.tld and presigned-subzone.autosigned-domain.tld in the domains-table like any normal domain.<br class=""><br class="">Both domains should have NS and SOA records in the records table like any normal domain.<br class=""><br class="">Then create the delegation in the autosigned-domain.tld domain by adding the NS-records pointing to the presigned-subzone.autosigned-domain.tld<br class=""><br class="">Domain_id: autosigned-domain.tld ; name: presigned-subzone.autosigned-domain.tld ; type: NS ; content: ns1.autosigned-domain.tld<br class="">Domain_id: autosigned-domain.tld ; name: presigned-subzone.autosigned-domain.tld ; type: NS ; content: ns2.autosigned-domain.tld<br class=""><br class="">Now because it's DNSSEC you need to make it secure.<br class=""><br class="">Assuming you want to sign the sub-zone for testing:<br class=""><br class="">pdnssec secure-zone presigned-subzone.autosigned-domain.tld<br class=""><br class="">The you can grab the DS-record which the needs to be added to the parent zone:<br class=""><br class="">pdnssec show-zone presigned-subzone.autosigned-domain.tld<br class=""><br class="">To know what the DS-record is.<br class=""><br class="">Add the DNSSEC DS-record for presigned-subzone.autosigned-domain.tld in the autosigned-domain.tld domain.<br class=""><br class="">domain_id: autosigned-domain.tld; name: presigned-subzone.autosigned-domain.tld<span class="Apple-tab-span" style="white-space:pre"> </span>; type: DS<span class="Apple-tab-span" style="white-space:pre"> </span>; content: '5725 8 2 512fa6fe4d1f9ba974832e3456c4769db6c16ca1...'<br class=""><br class="">Hope that makes it clear.<br class=""><br class="">You should now be able to look up a DNSSEC-signed record for the presigned-subzone.autosigned-domain.tld for example the SOA-record.<br class=""><br class="">Have a good day,<br class=""> Leen.<br class=""><br class=""><blockquote type="cite" class="">Google really hasn't indexed this documentation very well at all...<br class=""><br class="">Thanks,<br class=""><br class="">Nick<br class=""><br class=""></blockquote><br class=""><br class="">_______________________________________________<br class="">Pdns-users mailing list<br class=""><a href="mailto:Pdns-users@mailman.powerdns.com" class="">Pdns-users@mailman.powerdns.com</a><br class="">http://mailman.powerdns.com/mailman/listinfo/pdns-users<br class=""></div></blockquote></div><br class=""></div></div></body></html>