<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
        {mso-style-name:msonormal;
        mso-margin-top-alt:auto;
        margin-right:0cm;
        mso-margin-bottom-alt:auto;
        margin-left:0cm;
        font-size:12.0pt;
        font-family:"Times New Roman",serif;}
p.emailquote, li.emailquote, div.emailquote
        {mso-style-name:emailquote;
        mso-margin-top-alt:auto;
        margin-right:0cm;
        mso-margin-bottom-alt:auto;
        margin-left:1.0pt;
        border:none;
        padding:0cm;
        font-size:12.0pt;
        font-family:"Times New Roman",serif;}
span.E-MailFormatvorlage19
        {mso-style-type:personal-reply;
        font-family:"Calibri",sans-serif;
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:612.0pt 792.0pt;
        margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="DE-AT" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">https://github.com/PowerDNS/pdns/issues/10150<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt">
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="DE" style="font-size:11.0pt;font-family:"Calibri",sans-serif">Von:</span></b><span lang="DE" style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Pdns-users <pdns-users-bounces@mailman.powerdns.com>
<b>Im Auftrag von </b>Klaus Darilion via Pdns-users<br>
<b>Gesendet:</b> Dienstag, 31. Mai 2022 06:35<br>
<b>An:</b> jake@elsif.net; pdns-users@mailman.powerdns.com<br>
<b>Betreff:</b> Re: [Pdns-users] Question about DNSSEC + ALIAS (cname at the apex hack)<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div id="x_gw-compose-body-div">
<div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif;color:black">Alias does not support dnssec. See issues on github. Klaus­<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div id="x_gw-compose-signature-div">
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif;color:black">Gesendet über BlackBerry Work (<a href="http://www.blackberry.com">www.blackberry.com</a>)<o:p></o:p></span></p>
</div>
</div>
</div>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="2" width="98%" align="center">
</div>
<div>
<p class="MsoNormal"><b>Von: </b>Pdns-users <<a href="mailto:pdns-users-bounces@mailman.powerdns.com">pdns-users-bounces@mailman.powerdns.com</a>> im Namen von Jake via Pdns-users <<a href="mailto:pdns-users@mailman.powerdns.com">pdns-users@mailman.powerdns.com</a>><br>
<b>Gesendet: </b>30.05.2022 22:10<br>
<b>An: </b><a href="mailto:pdns-users@mailman.powerdns.com">pdns-users@mailman.powerdns.com</a><br>
<b>Betreff: </b>[Pdns-users] Question about DNSSEC + ALIAS (cname at the apex hack)<br>
<br>
<o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt">Created a domain called "aliastest.ca".<br>
<br>
Set the options recursive= and expand-alias= as prescribed.<br>
<br>
All works...<br>
<br>
Used "pdnsutil secure-zone aliastest.ca"...and it signed the zone...all <br>
easier than I expected, so yay!<br>
<br>
However...when I query for records under the zone...<br>
<br>
# dig @localhost A <a href="http://www.aliastest.ca">www.aliastest.ca</a>. +dnssec +short<br>
4.4.4.4<br>
A 13 3 3600 20220609000000 20220519000000 30598 aliastest.ca. <br>
sIhw7mNWncSfshFAf5hXtblduAFy1bFyhR32mYedzj4br7WWG8angHMj <br>
SnOqnU7jJzW1u6INtskuwMuNbR+4WQ==<br>
<br>
I see NSEC records...great!<br>
<br>
# dig @localhost A aliastest.ca. +dnssec +short<br>
151.101.125.67<br>
<br>
I don't see NSEC records...why?<br>
<br>
I somewhat assumed that PowerDNS would be signing the recursive output <br>
from the ALIAS target...is this some other option I don't know about?<br>
<br>
> select * from domains where name="aliastest.ca";<br>
+---------+--------------+--------+------------+--------+-----------------+---------+<br>
| id      | name         | master | last_check | type   | notified_serial <br>
| account |<br>
+---------+--------------+--------+------------+--------+-----------------+---------+<br>
| 4000003 | aliastest.ca | NULL   |       NULL | NATIVE |            NULL <br>
| NULL    |<br>
+---------+--------------+--------+------------+--------+-----------------+---------+<br>
<br>
> select * from records where domain_id="4000003";<br>
+----------+-----------+--------------------+-------+-------------------------------------------------------------------------+------+------+-------------+----------+-----------+------+<br>
| id       | domain_id | name               | type  | content <br>
| ttl  | prio | change_date | disabled | ordername | auth |<br>
+----------+-----------+--------------------+-------+-------------------------------------------------------------------------+------+------+-------------+----------+-----------+------+<br>
| 48000014 |   4000003 | aliastest.ca       | SOA   | ns01.aliastest.ca <br>
admin-dns.aliastest.ca 2022030101 1800 900 604800 300 | 3600 |    0 | <br>
NULL |        0 |           |    1 |<br>
| 48000015 |   4000003 | aliastest.ca       | NS    | ns01.aliastest.ca <br>
| 3600 |    0 |        NULL |        0 |           |    1 |<br>
| 48000016 |   4000003 | aliastest.ca       | NS    | ns02.aliastest.ca <br>
| 3600 |    0 |        NULL |        0 |           |    1 |<br>
| 48000017 |   4000003 | aliastest.ca       | MX    | mail1.aliastest.ca <br>
| 3600 |   10 |        NULL |        0 |           |    1 |<br>
| 48000018 |   4000003 | aliastest.ca       | MX    | mail2.aliastest.ca <br>
| 3600 |   20 |        NULL |        0 |           |    1 |<br>
| 48000019 |   4000003 | aliastest.ca       | MX    | mail3.aliastest.ca <br>
| 3600 |   30 |        NULL |        0 |           |    1 |<br>
| 48000020 |   4000003 | ns01.aliastest.ca  | A     | 10.6.20.71 <br>
| 3600 |    0 |        NULL |        0 | ns01      |    1 |<br>
| 48000021 |   4000003 | ns02.aliastest.ca  | A     | 10.6.20.72 <br>
| 3600 |    0 |        NULL |        0 | ns02      |    1 |<br>
| 48000022 |   4000003 | mail1.aliastest.ca | A     | 1.1.1.1 <br>
| 3600 |    0 |        NULL |        0 | mail1     |    1 |<br>
| 48000023 |   4000003 | mail2.aliastest.ca | A     | 2.2.2.2 <br>
| 3600 |    0 |        NULL |        0 | mail2     |    1 |<br>
| 48000024 |   4000003 | mail3.aliastest.ca | A     | 3.3.3.3 <br>
| 3600 |    0 |        NULL |        0 | mail3     |    1 |<br>
| 48000025 |   4000003 | <a href="http://www.aliastest.ca">www.aliastest.ca</a>   | A     | 4.4.4.4
<br>
| 3600 |    0 |        NULL |        0 | www       |    1 |<br>
| 48000026 |   4000003 | aliastest.ca       | ALIAS | <a href="http://www.cnn.com">
www.cnn.com</a> <br>
| 3600 |    0 |        NULL |        0 |           |    1 |<br>
+----------+-----------+--------------------+-------+-------------------------------------------------------------------------+------+------+-------------+----------+-----------+------+<br>
<br>
Thanks all,<br>
-jake<br>
_______________________________________________<br>
Pdns-users mailing list<br>
<a href="mailto:Pdns-users@mailman.powerdns.com">Pdns-users@mailman.powerdns.com</a><br>
<a href="https://mailman.powerdns.com/mailman/listinfo/pdns-users">https://mailman.powerdns.com/mailman/listinfo/pdns-users</a><o:p></o:p></span></p>
</div>
</div>
</div>
</body>
</html>