<div dir="ltr">Hi,<div><br></div><div>I am sorry as I am very new at this. FYI, both the DNS servers are PRIVATE. The domains they are hosting does not get published to the internet. It is mainly only for internal usage. Link between them is using a lease line. I have no problem querying from secondary site (running pdns) to primary. However, somehow primary (running BIND) have problem querying secondary and the problem is DNSSEC trust issue.</div><div><br></div><div>Take note also they are not running as primary DNS and secondary DNS servers. They are both independent of each other. They are each their own authoritative DNS server.</div><div><br></div><div>Sorry but how do I publish DS zone created in secondary into primary? </div><div><br></div><div>I think alternatively I might need to run them as primary and secondary DNS.</div><div><br></div><div>Thanks.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Apr 18, 2019 at 4:42 PM Gert van Dijk <<a href="mailto:gertvdijk%2Bpdns-users@gmail.com">gertvdijk+pdns-users@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Apr 18, 2019 at 10:24 AM abubin <<a href="mailto:abubin@gmail.com" target="_blank">abubin@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">I have just installed pdns and pdns-recursor on a server in secondary
site. The primary site is using CentOS 7 bind to host private DNS.
<p>I am trying to create a forwarding DNS from bind to pdns in primary
site. For example, when I query the primary DNS (1.2.3.4), it will
forward certain domains to secondary DNS.</p>
<p>The zone file for bind have this:</p>
<p>zone "<a href="http://myown.com" target="_blank">myown.com</a>" IN {<br>
type forward;<br>
forward only;<br>
forwarders { 10.10.10.10; };<br>
};<br>
</p>
<p>However, due to DNSSEC it is not resolving the zone. It will work if I
disable DNSSEC in bind. I have already enable DNSSEC for <a href="http://myown.com" target="_blank">myown.com</a> in
pdns but it still giving error from bind.</p>
<p>Apr 18 16:15:50 kdns named[25128]: validating <a href="http://www.myown.com/A" target="_blank">www.myown.com/A</a>: no valid signature found<br>
Apr 18 16:15:50 kdns named[25128]: validating <a href="http://www.myown.com/A" target="_blank">www.myown.com/A</a>: bad cache hit (<a href="http://www.myown.com/DS" target="_blank">www.myown.com/DS</a>)<br>
Apr 18 16:15:50 kdns named[25128]: broken trust chain resolving '<a href="http://www.myown.com/A/IN" target="_blank">www.myown.com/A/IN</a>': 10.10.10.10#53<br></p></div></blockquote><div>I don't know BIND so much, but it seems to me that it cannot find the DS records (or they don't match) on the parent zone (e.g. .com). Did you publish the DS records to your registry (`pdnsutil show-zone [ZONE]` shows the record(s) you should publish with them)? I am not able to check this, as you seem to redact the actual names here.</div><div>You may also want to check whether DNSSEC validates apart from BIND altogether. Use tools like `dig` or use online tools like dnsviz.<br></div><div><br></div><div>Also, why do you actually want *forward* those queries from a primary site? Perhaps I'm missing out on something on what you're trying to achieve in a broader view, but as far as I understand I would suggest to make the primary site a secondary for that domain in PowerDNS and transfer it (AXFR, presigned if you need DNSSEC) directly from the PowerDNS Authoritative server; you won't even need a PowerDNS recursor then. Is that BIND on your primary site an authoritative server for some other domains, a recursor or both?</div><div><br></div><div>If your situation is that you don't actually want to run DNSSEC on that forwarded domain, then you need to configure an NTA as Brian Candler pointed out. That is because the information in the .com parent zone information conflicts with the situation on your system (either the domain does not exist there or it is present, but signed with a different key).</div><div><br></div><div>HTH<br></div></div></div></div>
</blockquote></div>