
<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<meta name="Generator" content="Microsoft Word 15 (filtered medium)">

<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}

o\:* {behavior:url(#default#VML);}

w\:* {behavior:url(#default#VML);}

.shape {behavior:url(#default#VML);}

</style><![endif]--><style><!--

/* Font Definitions */

@font-face

        {font-family:"Cambria Math";

        panose-1:2 4 5 3 5 4 6 3 2 4;}

@font-face

        {font-family:Calibri;

        panose-1:2 15 5 2 2 2 4 3 2 4;}

/* Style Definitions */

p.MsoNormal, li.MsoNormal, div.MsoNormal

        {margin:0cm;

        margin-bottom:.0001pt;

        font-size:12.0pt;

        font-family:"Times New Roman",serif;}

a:link, span.MsoHyperlink

        {mso-style-priority:99;

        color:blue;

        text-decoration:underline;}

a:visited, span.MsoHyperlinkFollowed

        {mso-style-priority:99;

        color:purple;

        text-decoration:underline;}

p.msonormal0, li.msonormal0, div.msonormal0

        {mso-style-name:msonormal;

        mso-margin-top-alt:auto;

        margin-right:0cm;

        mso-margin-bottom-alt:auto;

        margin-left:0cm;

        font-size:12.0pt;

        font-family:"Times New Roman",serif;}

p.emailquote, li.emailquote, div.emailquote

        {mso-style-name:emailquote;

        mso-margin-top-alt:auto;

        margin-right:0cm;

        mso-margin-bottom-alt:auto;

        margin-left:1.0pt;

        border:none;

        padding:0cm;

        font-size:12.0pt;

        font-family:"Times New Roman",serif;}

span.E-MailFormatvorlage19

        {mso-style-type:personal-reply;

        font-family:"Calibri",sans-serif;

        color:#1F497D;}

.MsoChpDefault

        {mso-style-type:export-only;

        font-size:10.0pt;}

@page WordSection1

        {size:612.0pt 792.0pt;

        margin:70.85pt 70.85pt 2.0cm 70.85pt;}

div.WordSection1

        {page:WordSection1;}

--></style><!--[if gte mso 9]><xml>

<o:shapedefaults v:ext="edit" spidmax="1026" />

</xml><![endif]--><!--[if gte mso 9]><xml>

<o:shapelayout v:ext="edit">

<o:idmap v:ext="edit" data="1" />

</o:shapelayout></xml><![endif]-->

</head>

<body lang="DE-AT" link="blue" vlink="purple">

<div class="WordSection1">

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">https://github.com/PowerDNS/pdns/issues/10150<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>

<div style="border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt">

<div>

<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">

<p class="MsoNormal"><b><span lang="DE" style="font-size:11.0pt;font-family:"Calibri",sans-serif">Von:</span></b><span lang="DE" style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Pdns-users <pdns-users-bounces@mailman.powerdns.com>

<b>Im Auftrag von </b>Klaus Darilion via Pdns-users<br>

<b>Gesendet:</b> Dienstag, 31. Mai 2022 06:35<br>

<b>An:</b> jake@elsif.net; pdns-users@mailman.powerdns.com<br>

<b>Betreff:</b> Re: [Pdns-users] Question about DNSSEC + ALIAS (cname at the apex hack)<o:p></o:p></span></p>

</div>

</div>

<p class="MsoNormal"><o:p> </o:p></p>

<div>

<div id="x_gw-compose-body-div">

<div>

<div>

<p class="MsoNormal"><span style="font-family:"Arial",sans-serif;color:black">Alias does not support dnssec. See issues on github. Klaus<o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-family:"Arial",sans-serif;color:black"><o:p> </o:p></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-family:"Arial",sans-serif;color:black"><o:p> </o:p></span></p>

</div>

<div id="x_gw-compose-signature-div">

<p class="MsoNormal"><span style="font-family:"Arial",sans-serif;color:black">Gesendet über BlackBerry Work (<a href="http://www.blackberry.com">www.blackberry.com</a>)<o:p></o:p></span></p>

</div>

</div>

</div>

<div class="MsoNormal" align="center" style="text-align:center">

<hr size="2" width="98%" align="center">

</div>

<div>

<p class="MsoNormal"><b>Von: </b>Pdns-users <<a href="mailto:pdns-users-bounces@mailman.powerdns.com">pdns-users-bounces@mailman.powerdns.com</a>> im Namen von Jake via Pdns-users <<a href="mailto:pdns-users@mailman.powerdns.com">pdns-users@mailman.powerdns.com</a>><br>

<b>Gesendet: </b>30.05.2022 22:10<br>

<b>An: </b><a href="mailto:pdns-users@mailman.powerdns.com">pdns-users@mailman.powerdns.com</a><br>

<b>Betreff: </b>[Pdns-users] Question about DNSSEC + ALIAS (cname at the apex hack)<br>

<br>

<o:p></o:p></p>

</div>

</div>

<div>

<p class="MsoNormal"><span style="font-size:10.0pt">Created a domain called "aliastest.ca".<br>

<br>

Set the options recursive= and expand-alias= as prescribed.<br>

<br>

All works...<br>

<br>

Used "pdnsutil secure-zone aliastest.ca"...and it signed the zone...all <br>

easier than I expected, so yay!<br>

<br>

However...when I query for records under the zone...<br>

<br>

# dig @localhost A <a href="http://www.aliastest.ca">www.aliastest.ca</a>. +dnssec +short<br>

4.4.4.4<br>

A 13 3 3600 20220609000000 20220519000000 30598 aliastest.ca. <br>

sIhw7mNWncSfshFAf5hXtblduAFy1bFyhR32mYedzj4br7WWG8angHMj <br>

SnOqnU7jJzW1u6INtskuwMuNbR+4WQ==<br>

<br>

I see NSEC records...great!<br>

<br>

# dig @localhost A aliastest.ca. +dnssec +short<br>

151.101.125.67<br>

<br>

I don't see NSEC records...why?<br>

<br>

I somewhat assumed that PowerDNS would be signing the recursive output <br>

from the ALIAS target...is this some other option I don't know about?<br>

<br>

> select * from domains where name="aliastest.ca";<br>

+---------+--------------+--------+------------+--------+-----------------+---------+<br>

| id      | name         | master | last_check | type   | notified_serial <br>

| account |<br>

+---------+--------------+--------+------------+--------+-----------------+---------+<br>

| 4000003 | aliastest.ca | NULL   |       NULL | NATIVE |            NULL <br>

| NULL    |<br>

+---------+--------------+--------+------------+--------+-----------------+---------+<br>

<br>

> select * from records where domain_id="4000003";<br>

+----------+-----------+--------------------+-------+-------------------------------------------------------------------------+------+------+-------------+----------+-----------+------+<br>

| id       | domain_id | name               | type  | content <br>

| ttl  | prio | change_date | disabled | ordername | auth |<br>

+----------+-----------+--------------------+-------+-------------------------------------------------------------------------+------+------+-------------+----------+-----------+------+<br>

| 48000014 |   4000003 | aliastest.ca       | SOA   | ns01.aliastest.ca <br>

admin-dns.aliastest.ca 2022030101 1800 900 604800 300 | 3600 |    0 | <br>

NULL |        0 |           |    1 |<br>

| 48000015 |   4000003 | aliastest.ca       | NS    | ns01.aliastest.ca <br>

| 3600 |    0 |        NULL |        0 |           |    1 |<br>

| 48000016 |   4000003 | aliastest.ca       | NS    | ns02.aliastest.ca <br>

| 3600 |    0 |        NULL |        0 |           |    1 |<br>

| 48000017 |   4000003 | aliastest.ca       | MX    | mail1.aliastest.ca <br>

| 3600 |   10 |        NULL |        0 |           |    1 |<br>

| 48000018 |   4000003 | aliastest.ca       | MX    | mail2.aliastest.ca <br>

| 3600 |   20 |        NULL |        0 |           |    1 |<br>

| 48000019 |   4000003 | aliastest.ca       | MX    | mail3.aliastest.ca <br>

| 3600 |   30 |        NULL |        0 |           |    1 |<br>

| 48000020 |   4000003 | ns01.aliastest.ca  | A     | 10.6.20.71 <br>

| 3600 |    0 |        NULL |        0 | ns01      |    1 |<br>

| 48000021 |   4000003 | ns02.aliastest.ca  | A     | 10.6.20.72 <br>

| 3600 |    0 |        NULL |        0 | ns02      |    1 |<br>

| 48000022 |   4000003 | mail1.aliastest.ca | A     | 1.1.1.1 <br>

| 3600 |    0 |        NULL |        0 | mail1     |    1 |<br>

| 48000023 |   4000003 | mail2.aliastest.ca | A     | 2.2.2.2 <br>

| 3600 |    0 |        NULL |        0 | mail2     |    1 |<br>

| 48000024 |   4000003 | mail3.aliastest.ca | A     | 3.3.3.3 <br>

| 3600 |    0 |        NULL |        0 | mail3     |    1 |<br>

| 48000025 |   4000003 | <a href="http://www.aliastest.ca">www.aliastest.ca</a>   | A     | 4.4.4.4

<br>

| 3600 |    0 |        NULL |        0 | www       |    1 |<br>

| 48000026 |   4000003 | aliastest.ca       | ALIAS | <a href="http://www.cnn.com">

www.cnn.com</a> <br>

| 3600 |    0 |        NULL |        0 |           |    1 |<br>

+----------+-----------+--------------------+-------+-------------------------------------------------------------------------+------+------+-------------+----------+-----------+------+<br>

<br>

Thanks all,<br>

-jake<br>

_______________________________________________<br>

Pdns-users mailing list<br>

<a href="mailto:Pdns-users@mailman.powerdns.com">Pdns-users@mailman.powerdns.com</a><br>

<a href="https://mailman.powerdns.com/mailman/listinfo/pdns-users">https://mailman.powerdns.com/mailman/listinfo/pdns-users</a><o:p></o:p></span></p>

</div>

</div>

</div>

</body>

</html>