[Pdns-dev] [Pdns-users] Question regarding DNSSEC RRSIG

Peter van Dijk peter.van.dijk at netherlabs.nl
Mon Aug 13 13:13:40 CEST 2012

Hello pdns-dev,

On Aug 13, 2012, at 10:51 , Peter van Dijk wrote:

> On Aug 5, 2012, at 14:35 , Nicky Gerritsen wrote:
>> Nice, that seemed to do the trick :). It still returns different NSEC-records, but now I do get a RRSIG back :).
> The different NSECs are a bug in PowerDNS' usage of SQL collations. Thanks for reporting this!

I have created ticket http://wiki.powerdns.com/trac/ticket/550 (which also refers to a github branch) to track this issue.

The issue is clear - default mysql/pgsql sorting ('collation') does not strictly use ASCII values, and therefore breaks NSEC order name queries.

There are a few ways to fix it (please come up with more):
1. configure the database schemas to do the right thing (involves ALTER TABLE on MySQL, involves drop+import on Postgres, at least before 9.1)
2. use an encoding (hex was suggested) for order name that sorts consistently under any common collation

In other words, we don't have a really good, really clean solution that would be great to ship in 3.1.1. Please share your thoughts!

Kind regards,
Peter van Dijk
Netherlabs Computer Consulting BV - http://www.netherlabs.nl/

More information about the Pdns-dev mailing list