[Pdns-dev] AXFR with pre-signed zones

Christof Meerwald cmeerw at cmeerw.org
Tue Jul 17 14:36:45 CEST 2012

On Tue, 17 Jul 2012 14:42:09 +0300, Aki Tuomi wrote:
> On Tue, Jul 17, 2012 at 01:24:19PM +0200, Christof Meerwald wrote:
>> Whatever you call it - RRSIG records shouldn't be duplicated during an
>> AXFR. For a pre-signed zone, the RRSIG records are part of the zone
>> data, but the signer tries to add another set of RRSIG records - so
>> one set of RRSIG records need to be suppressed.
> So... Correct me if I am wrong but you are transferring a pre-signed zone
> with AXFR from master, and master tries to sign it again? Or did I understo=
> od
> you completely wrong? Can you give more details on the problem you are
> experiencing? Btw, it cannot sign your records without signing key.=20

Well, when you have a pre-signed zone in PowerDNS, it tries to add the
appropriate (existing) RRSIG records to any responses. This logic also
applies to AXFRs where PowerDNS tries to add the appropriate RRSIG
records to the zone data during. But as you already have a pre-signed
zone, the RRSIG records are already in the zone data and adding them
again just results in duplicates.

So either you ignore the RRSIG records and let PowerDNS add them again
during the zone transfer processing (which has the benefit of keeping
most of the logic common) or you can special-case the AXFR logic for
pre-signed zones where it just dumps the zone data without doing any
post-processing for RRSIG records.

So main problem with 3.1 is that you get duplicate RRSIG records from
an AXFR, but the NSEC3PARAM record is also broken and you get some
unwanted additional NSEC3 records.



http://cmeerw.org                              sip:cmeerw at cmeerw.org
mailto:cmeerw at cmeerw.org                   xmpp:cmeerw at cmeerw.org

More information about the Pdns-dev mailing list