<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
Hi!<br>
<br>
Thank you, that seems to work: importing the key and setting the
zone to 'not presigned' leads to RRSIG records being produced on the
slaves.<br>
<br>
However, when I edit the zone on the master and trigger a transfer
to the slaves, the 'PRESIGNED' flag returns on the zone, which is
documented behaviour:<br>
<blockquote><i>PowerDNS
sets this flag automatically upon incoming zone transfers (AXFR)
if it
detects DNSSEC records in the zone. </i><br>
</blockquote>
So, I guess I have to either tell the slave to discard the incoming
DNSSEC records or at least not set the PRESIGNED flag, or tell the
master not to send them in the AXFR.<br>
<br>
Is there any way to do either?<br>
<br>
Best regards,<br>
Martijn.<br>
<br>
<br>
<br>
<br>
<div class="moz-cite-prefix">Op 27-5-2020 om 12:18 schreef Edward
Dore:<br>
</div>
<blockquote type="cite" cite="mid:c83f3096ac47cc84059f81ac22eb61c2,E5E6AD8C-BEEA-48AA-8659-42C7F83306CC@freethought-internet.co.uk">
Hi Martijn,
<div class=""><br class="">
</div>
<div class="">Native zones with replication might be the easiest
from a management point of view (remember to encrypt the
replication data so that you don’t expose your keys), but online
signing should work fine with slave zones.
<div class=""><br class="">
</div>
<div class="">Use "pdnsutil export-zone-key” to export the
private key on the master, securely copy it to the slave
servers somehow and then import it with "pdnsutil
import-zone-key”.
<div class=""><br class="">
</div>
<div class="">You’re probably going to need to use "pdnsutil
unset-presigned” as well as the zones are pre-signed at the
moment.</div>
<div class=""><br class="">
</div>
<div class="">Make sure you set any NSEC/NSEC3 parameters etc.
the same on the slave servers - basically make the output of
"pdnsutil show-zone” match between the master and slave.</div>
<div class="">
<div class=""><br class="">
<div class="">
<div>Edward Dore <br class="">
Freethought Internet <br class="">
</div>
</div>
<div><br class="">
<blockquote type="cite" class="">
<div class="">On 27 May 2020, at 10:39, Martijn
Grendelman via Pdns-users <<a href="mailto:pdns-users@mailman.powerdns.com" class="" moz-do-not-send="true">pdns-users@mailman.powerdns.com</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div class=""> Hi,<br class="">
<br class="">
We have a simple setup with a PowerDNS master and
two PowerDNS slaves (AXFR). Our zones are
generally signed with DNSSEC and everything has
been working fine. Recently, I started
experimenting with LUA records, and for those,
we're seeing problems (SERVFAIL) when we query
them through 3rd party resolvers.<br class="">
<br class="">
At first, I seem to have missed this tiny
paragraph in the documentation for LUA records:<br class="">
<br class="">
"LUA records can be DNSSEC signed, but because
they are dynamic, it is not possible to combine
pre-signed DNSSEC zone and LUA records. In other
words, the signing key must be available on the
server creating answers based on LUA records."<br class="">
<br class="">
It makes sense, and indeed, when I query the
slaves for the LUA records, I don't get any
RRSIGs, so I suspect that this must be the
problem.<br class="">
<br class="">
My question is: <i class="">how</i> do I make the
signing key availabe on the slaves? Does this
imply that I have to switch to a form of native
replication, or is there a way to make this work
with AXFR? I spent a few hours Googling for this,
but I haven't found any clues.<br class="">
<br class="">
<div class="moz-signature">
<div id="divtagdefaultwrapper" style="font-size:
12pt; font-family: Calibri, Helvetica,
sans-serif;" dir="ltr" class="">
<div id="Signature" class="">Met vriendelijke
groet,<br class="">
Best regards,<br class="">
<br class="">
Martijn Grendelman<br class="">
<br class="">
<br class="">
<br class="">
</div>
</div>
</div>
</div>
_______________________________________________<br class="">
Pdns-users mailing list<br class="">
<a href="mailto:Pdns-users@mailman.powerdns.com" class="" moz-do-not-send="true">Pdns-users@mailman.powerdns.com</a><br class="">
<a class="moz-txt-link-freetext" href="https://mailman.powerdns.com/mailman/listinfo/pdns-users">https://mailman.powerdns.com/mailman/listinfo/pdns-users</a><br class="">
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</div>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif;" dir="ltr">
<div id="Signature">
<table width="550" cellspacing="0" cellpadding="0" border="0">
<tbody>
<tr>
<td style="FONT-SIZE: 11px; FONT-FAMILY: Tahoma, Geneva,
sans-serif; COLOR: #666666" align="left">
Met vriendelijke groet, <br>
Kind regards, </td>
</tr>
<tr>
<td style="FONT-SIZE: 0px; HEIGHT: 20px; MARGIN: 0px;
LINE-HEIGHT: 0px" height="20" align="left">
<img style="display: block; user-select: none;" src="cid:part3.FBD09149.C1AEA14D@isaac.nl" width="1" height="20"></td>
</tr>
<tr>
<td>
<table width="550" cellspacing="0" cellpadding="0" border="0">
<tbody>
<tr>
<td style="FONT-SIZE: 0px; HEIGHT: 75px; WIDTH:
75px; MARGIN: 0px; LINE-HEIGHT: 0px" width="75" valign="top" height="75">
<a href="mailto:martijn.grendelman@isaac.nl" id="LPNoLP"><img title="Martijn" style="display: block; user-select: none;" alt="Martijn" src="cid:part4.B90113CE.12A322D4@isaac.nl" width="75" height="75" border="0"></a></td>
<td style="FONT-SIZE: 0px; WIDTH: 20px;
MARGIN:0px; LINE-HEIGHT: 0px" width="20"> <img style="display: block; user-select: none;" src="cid:part3.FBD09149.C1AEA14D@isaac.nl" width="20" height="1"></td>
<td valign="top" align="left">
<table width="455" cellspacing="0" cellpadding="0" border="0">
<tbody>
<tr>
<td style="FONT-SIZE: 0px; HEIGHT: 21px;
MARGIN: 0px; LINE-HEIGHT: 0px" height="21">
<img style="display: block;
user-select: none;" src="cid:part3.FBD09149.C1AEA14D@isaac.nl" width="1" height="21"></td>
</tr>
<tr>
<td style="FONT-SIZE: 11px; FONT-FAMILY:
Tahoma, Geneva, sans-serif; COLOR:
#666666; LINE-HEIGHT: 16px" align="left">
<span style="FONT-SIZE: 14px;
FONT-WEIGHT: bold; COLOR: #000000">Martijn
Grendelman</span> <span style="FONT-SIZE: 14px; FONT-WEIGHT:
bold; COLOR: #0099cc">Infrastructure
Architect</span> <span style="COLOR:#999999">
</span><br>
T: +31 (0)40 264 94 44 </td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td style="FONT-SIZE: 0px; HEIGHT: 16px; MARGIN: 0px;
LINE-HEIGHT: 0px" height="16" align="left">
<img style="display: block; user-select: none;" src="cid:part3.FBD09149.C1AEA14D@isaac.nl" width="1" height="16"></td>
</tr>
<tr>
<td style="FONT-SIZE: 0px; HEIGHT: 1px; MARGIN: 0px;
LINE-HEIGHT: 0px" bgcolor="#e5e5e5">
<img style="display: block; user-select: none;" alt="" src="cid:part3.FBD09149.C1AEA14D@isaac.nl" width="1" height="1" border="0"></td>
</tr>
<tr>
<td style="FONT-SIZE: 0px; HEIGHT: 16px; MARGIN: 0px;
LINE-HEIGHT: 0px" height="16" align="left">
<img style="display: block; user-select: none;" src="cid:part3.FBD09149.C1AEA14D@isaac.nl" width="1" height="16"></td>
</tr>
<tr>
<td>
<table width="550" cellspacing="0" cellpadding="0" border="0">
<tbody>
<tr>
<td style="FONT-SIZE: 0px; HEIGHT: 33px; WIDTH:
75px; MARGIN: 0px; LINE-HEIGHT: 0px" width="75" valign="top" height="33">
<a href="https://www.isaac.nl" target="_blank" id="LPNoLP"><img title="ISAAC" style="display: block; user-select: none;" alt="ISAAC" src="cid:part11.ADB829FD.D511556F@isaac.nl" width="75" height="33" border="0"></a></td>
<td style="FONT-SIZE: 0px; WIDTH: 20px; MARGIN:
0px; LINE-HEIGHT: 0px" width="20">
<img style="display: block; user-select:
none;" src="cid:part3.FBD09149.C1AEA14D@isaac.nl" width="20" height="1"></td>
<td valign="top" align="left">
<table width="455" cellspacing="0" cellpadding="0" border="0">
<tbody>
<tr>
<td style="FONT-SIZE: 11px; FONT-FAMILY:
Tahoma, Geneva, sans-serif; COLOR:
#666666; LINE-HEIGHT: 16px" align="left">
ISAAC Marconilaan 16 5621 AA
Eindhoven The Netherlands<br>
T: +31 (0)40 290 89 79 <a style="TEXT-DECORATION: none; COLOR:
#0099cc" href="https://www.isaac.nl" target="_blank" id="LPNoLP"><font color="#0099cc">www.isaac.nl</font></a><br>
<a style="TEXT-DECORATION: none;
COLOR: #0099cc" href="https://www.isaac.nl/awards" target="_blank"><font color="#0099cc">#1 Fullservice
Digital Agency 2020 2019 2018</font></a>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td style="FONT-SIZE: 0px; HEIGHT: 40px; MARGIN: 0px;
LINE-HEIGHT: 0px" height="40" align="left">
<img style="display: block; user-select: none;" src="cid:part3.FBD09149.C1AEA14D@isaac.nl" width="1" height="25"></td>
<!-- https://outlookimages.isaac.nl/sig/pix.gif -->
</tr>
<tr>
<td style="FONT-SIZE: 10px; FONT-FAMILY: Tahoma, Geneva,
sans-serif; COLOR: #cccccc; LINE-HEIGHT: 13px" valign="top" align="left">
Dit e-mail bericht is alleen bestemd voor de
geadresseerde(n). Indien dit bericht niet voor u is
bedoeld wordt u verzocht de afzender hiervan op de
hoogte te stellen door het bericht te retourneren en
de inhoud niet te gebruiken. Aan dit bericht kunnen
geen rechten worden ontleend.</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</body>
</html>