
<div dir="ltr">Thats exactly what I was trying to do! Multiple backends (mysql for my own, bind/sqlite for these slave ones). If that doesn't work that explains why :-)<div>I'll redesign what I'm doing in a different way (likely using dnsdist to redirect these presigned slave zones to a different DNS instance)</div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div><div><br></div><div>Theodore Baschak - AS395089 - Hextet Systems</div><div><a href="https://ciscodude.net/" target="_blank">https://ciscodude.net/</a> - <a href="https://hextet.systems/" target="_blank">https://hextet.systems/</a></div><div><a href="http://mbix.ca/" target="_blank">http://mbix.ca/</a></div></div><div><br></div></div></div></div></div></div></div></div></div></div></div></div>

<br><div class="gmail_quote">On Fri, Aug 12, 2016 at 4:26 AM, Peter van Dijk <span dir="ltr"><<a href="mailto:peter.van.dijk@powerdns.com" target="_blank">peter.van.dijk@powerdns.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello Theodore,<br>

<br>

do you have multiple backends launched? In general DNSSEC only works on the first backend I believe.<br>

<br>

Kind regards,<br>

-- <br>

Peter van Dijk<br>

PowerDNS.COM BV - <a href="https://www.powerdns.com/" rel="noreferrer" target="_blank">https://www.powerdns.com/</a><div><div class="h5"><br>

<br>

On 12 Aug 2016, at 9:37, Theodore Baschak wrote:<br>

<br>

</div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5">

I've tried using the sqlite3 backend as well now for this zone, with the<br>

same non-dnssec-serving/recognizing result.<br>

(This does work in the mysql backend however, but thats shared between<br>

multiple servers, and this configuration is unique to this particular<br>

server.)<br>

<br>

<br>

Theodore Baschak - AS395089 - Hextet Systems<br>

<a href="https://ciscodude.net/" rel="noreferrer" target="_blank">https://ciscodude.net/</a> - <a href="https://hextet.systems/" rel="noreferrer" target="_blank">https://hextet.systems/</a><br>

<a href="http://mbix.ca/" rel="noreferrer" target="_blank">http://mbix.ca/</a><br>

<br>

<br>

On Fri, Aug 12, 2016 at 1:52 AM, Theodore Baschak <<a href="mailto:theodore@ciscodude.net" target="_blank">theodore@ciscodude.net</a>><br>

wrote:<br>

<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

I've got a few zones I slave for a friend. He presigns some of those zones<br>

on bind and I AXFR them as a slave.<br>

<br>

Log entries don't indicate detecting presigned zones on AXFR. Dig with<br>

+dnssec doesn't return anything either. dnsviz is showing me as being a<br>

problem nameserver for him now.<br>

<br>

I've got the bind-dnssec-db set, and created the dnssec-db with pdnsutil<br>

(and chowned it to pdns:pdns even)<br>

<br>

I've tried pdnsutil set-presigned <zone><br>

<br>

I've been googling this for about an hour and I can't find something wrong<br>

with what I'm doing.<br>

I did find the following command, which outputs many lines like the<br>

following:<br>

<br>

pdnsutil check-all-zones<br>

Aug 12 06:49:30 [bindbackend] Done parsing domains, 0 rejected, 19 new, 0<br>

removed<br>

[Warning] Parsed and original record content are not equal: <a href="http://fudo.ca" rel="noreferrer" target="_blank">fudo.ca</a> IN<br>

RRSIG 'SOA 8 2 3600 20140614060342 20131216060342 17133 <a href="http://fudo.ca" rel="noreferrer" target="_blank">fudo.ca</a>.<br>

gXArdDSbIIFjFn7fjj4h8MnT2ZQYwK<wbr>uCWOKDXTn+da5MnmCkp7KXM+<br>

PA78Bm2Z2Lo8boU5mJd49pTdEOrSMU<wbr>Fd9/gNi7PW3a5PPc0v9XHvM+<br>

1zTqrRrvch8PzWieiIlOiHjupH5JsD<wbr>VznKlRDPRmjHerbddr3++PR0OPWPAX<wbr>y6I='<br>

(Content parsed as 'SOA 8 2 3600 20140614060342 20131216060342 17133<br>

<a href="http://fudo.ca" rel="noreferrer" target="_blank">fudo.ca</a> gXArdDSbIIFjFn7fjj4h8MnT2ZQYwK<wbr>uCWOKDXTn+da5MnmCkp7KXM+<br>

PA78Bm2Z2Lo8boU5mJd49pTdEOrSMU<wbr>Fd9/gNi7PW3a5PPc0v9XHvM+<br>

1zTqrRrvch8PzWieiIlOiHjupH5JsD<wbr>VznKlRDPRmjHerbddr3++PR0OPWPAX<wbr>y6I=')<br>

[Error] RRSIG found at '<a href="http://fudo.ca" rel="noreferrer" target="_blank">fudo.ca</a>' in non-presigned zone. These do not<br>

belong in the database.<br>

<br>

<br>

<br>

Theodore Baschak - AS395089 - Hextet Systems<br>

<a href="https://ciscodude.net/" rel="noreferrer" target="_blank">https://ciscodude.net/</a> - <a href="https://hextet.systems/" rel="noreferrer" target="_blank">https://hextet.systems/</a><br>

<a href="http://mbix.ca/" rel="noreferrer" target="_blank">http://mbix.ca/</a><br>

<br>

<br>

</blockquote></div></div>

______________________________<wbr>_________________<br>

Pdns-users mailing list<br>

<a href="mailto:Pdns-users@mailman.powerdns.com" target="_blank">Pdns-users@mailman.powerdns.co<wbr>m</a><br>

<a href="https://mailman.powerdns.com/mailman/listinfo/pdns-users" rel="noreferrer" target="_blank">https://mailman.powerdns.com/m<wbr>ailman/listinfo/pdns-users</a><br>

</blockquote>

______________________________<wbr>_________________<br>

Pdns-users mailing list<br>

<a href="mailto:Pdns-users@mailman.powerdns.com" target="_blank">Pdns-users@mailman.powerdns.co<wbr>m</a><br>

<a href="https://mailman.powerdns.com/mailman/listinfo/pdns-users" rel="noreferrer" target="_blank">https://mailman.powerdns.com/m<wbr>ailman/listinfo/pdns-users</a><br>

</blockquote></div><br></div>