
<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<meta name="Generator" content="Microsoft Exchange Server">

<!-- converted from text --><style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; } --></style>

</head>

<body>

<div>

<div id="x_gw-compose-body-div" style="font-family:"Arial"; font-size:12pt; color:rgb(0,0,0)">

<div>

<div>Alias does not support dnssec. See issues on github. Klaus<br>

</div>

<div><br>

</div>

<div><br>

</div>

<div id="x_gw-compose-signature-div" style="font-family:"Arial"; font-size:12pt; color:#000000">

Gesendet über BlackBerry Work (www.blackberry.com)</div>

</div>

</div>

<hr style="display:inline-block; width:98%">

<div class="x_quote"><b>Von: </b>Pdns-users <pdns-users-bounces@mailman.powerdns.com> im Namen von Jake via Pdns-users <pdns-users@mailman.powerdns.com><br>

<b>Gesendet: </b>30.05.2022 22:10<br>

<b>An: </b>pdns-users@mailman.powerdns.com<br>

<b>Betreff: </b>[Pdns-users] Question about DNSSEC + ALIAS (cname at the apex hack)<br>

<br type="attribution">

</div>

</div>

<font size="2"><span style="font-size:10pt;">

<div class="PlainText">Created a domain called "aliastest.ca".<br>

<br>

Set the options recursive= and expand-alias= as prescribed.<br>

<br>

All works...<br>

<br>

Used "pdnsutil secure-zone aliastest.ca"...and it signed the zone...all <br>

easier than I expected, so yay!<br>

<br>

However...when I query for records under the zone...<br>

<br>

# dig @localhost A <a href="http://www.aliastest.ca">www.aliastest.ca</a>. +dnssec +short<br>

4.4.4.4<br>

A 13 3 3600 20220609000000 20220519000000 30598 aliastest.ca. <br>

sIhw7mNWncSfshFAf5hXtblduAFy1bFyhR32mYedzj4br7WWG8angHMj <br>

SnOqnU7jJzW1u6INtskuwMuNbR+4WQ==<br>

<br>

I see NSEC records...great!<br>

<br>

# dig @localhost A aliastest.ca. +dnssec +short<br>

151.101.125.67<br>

<br>

I don't see NSEC records...why?<br>

<br>

I somewhat assumed that PowerDNS would be signing the recursive output <br>

from the ALIAS target...is this some other option I don't know about?<br>

<br>

> select * from domains where name="aliastest.ca";<br>

+---------+--------------+--------+------------+--------+-----------------+---------+<br>

| id      | name         | master | last_check | type   | notified_serial <br>

| account |<br>

+---------+--------------+--------+------------+--------+-----------------+---------+<br>

| 4000003 | aliastest.ca | NULL   |       NULL | NATIVE |            NULL <br>

| NULL    |<br>

+---------+--------------+--------+------------+--------+-----------------+---------+<br>

<br>

> select * from records where domain_id="4000003";<br>

+----------+-----------+--------------------+-------+-------------------------------------------------------------------------+------+------+-------------+----------+-----------+------+<br>

| id       | domain_id | name               | type  | content <br>

| ttl  | prio | change_date | disabled | ordername | auth |<br>

+----------+-----------+--------------------+-------+-------------------------------------------------------------------------+------+------+-------------+----------+-----------+------+<br>

| 48000014 |   4000003 | aliastest.ca       | SOA   | ns01.aliastest.ca <br>

admin-dns.aliastest.ca 2022030101 1800 900 604800 300 | 3600 |    0 | <br>

NULL |        0 |           |    1 |<br>

| 48000015 |   4000003 | aliastest.ca       | NS    | ns01.aliastest.ca <br>

| 3600 |    0 |        NULL |        0 |           |    1 |<br>

| 48000016 |   4000003 | aliastest.ca       | NS    | ns02.aliastest.ca <br>

| 3600 |    0 |        NULL |        0 |           |    1 |<br>

| 48000017 |   4000003 | aliastest.ca       | MX    | mail1.aliastest.ca <br>

| 3600 |   10 |        NULL |        0 |           |    1 |<br>

| 48000018 |   4000003 | aliastest.ca       | MX    | mail2.aliastest.ca <br>

| 3600 |   20 |        NULL |        0 |           |    1 |<br>

| 48000019 |   4000003 | aliastest.ca       | MX    | mail3.aliastest.ca <br>

| 3600 |   30 |        NULL |        0 |           |    1 |<br>

| 48000020 |   4000003 | ns01.aliastest.ca  | A     | 10.6.20.71 <br>

| 3600 |    0 |        NULL |        0 | ns01      |    1 |<br>

| 48000021 |   4000003 | ns02.aliastest.ca  | A     | 10.6.20.72 <br>

| 3600 |    0 |        NULL |        0 | ns02      |    1 |<br>

| 48000022 |   4000003 | mail1.aliastest.ca | A     | 1.1.1.1 <br>

| 3600 |    0 |        NULL |        0 | mail1     |    1 |<br>

| 48000023 |   4000003 | mail2.aliastest.ca | A     | 2.2.2.2 <br>

| 3600 |    0 |        NULL |        0 | mail2     |    1 |<br>

| 48000024 |   4000003 | mail3.aliastest.ca | A     | 3.3.3.3 <br>

| 3600 |    0 |        NULL |        0 | mail3     |    1 |<br>

| 48000025 |   4000003 | <a href="http://www.aliastest.ca">www.aliastest.ca</a>   | A     | 4.4.4.4

<br>

| 3600 |    0 |        NULL |        0 | www       |    1 |<br>

| 48000026 |   4000003 | aliastest.ca       | ALIAS | <a href="http://www.cnn.com">

www.cnn.com</a> <br>

| 3600 |    0 |        NULL |        0 |           |    1 |<br>

+----------+-----------+--------------------+-------+-------------------------------------------------------------------------+------+------+-------------+----------+-----------+------+<br>

<br>

Thanks all,<br>

-jake<br>

_______________________________________________<br>

Pdns-users mailing list<br>

Pdns-users@mailman.powerdns.com<br>

<a href="https://mailman.powerdns.com/mailman/listinfo/pdns-users">https://mailman.powerdns.com/mailman/listinfo/pdns-users</a><br>

</div>

</span></font>

</body>

</html>