[Pdns-dev] implement GSQLBackend::getDirectNSECx
labs at hosting.de
labs at hosting.de
Tue Feb 23 12:18:32 UTC 2016
Hello Peter,
> Can you clarify what you mean by empty traversals? What is your full
> procedure for serving a lens-signed zone file with PowerDNS today?
following an example of a zone signed by ldns. As you can see, it
contains not only RRSIG, but also 3 NSEC3 and the NSEC3PARAM record. In
order to publish the zone with pdns we have to remove these 4 records
from the zone. Then we have to take the content of the NSEC3PARAM record
and add it to domainmetadata as a 'NSEC3PARAM' entry, along with a
'PRESIGNED' entry. The zone contains one record at its apex and one in
sub2.sub1.dnssec-secured.com, but none in sub1.dnssec-secured.com, so
next we have to create a record of type NULL for
sub1.dnssec-secured.com, the empty traversal record. After that we have
to determine the ordername for the A, NS, SOA and the empty traversal
records, and have to remember to set the ordername to NULL in our RRSIG
and DNSKEY records (but to an empty string, not NULL, for records on the
apex if we sign with NSEC instead of NSEC3)
If instead it would be possible to use the NSEC(3) and NSEC3PARAM
records as ldns creates them we wouldn't have to do all this. We could
just add the records to our database as they are and ignore the
ordername and metadata. This would save us work, would make our system
more robust and would be more secure when updating pdns.
####################
dnssec-secured.com. 172800 IN SOA testns1.keenlogics.com.
admin.dnssec-secured.com. 2016022302 86400 7200 3600000 3600
dnssec-secured.com. 172800 IN RRSIG SOA 8 2 172800 20160324114814
20160223114814 24828 dnssec-secured.com.
RhmWWAJetR0cOLAVN2L8rMs/rECWpHCox0NCV6FR3VR9thDlrAPLqh5ImCQAg+LxlFq5Xensa2aQU8UvWVyJUJkt6tYHgP6cyDitq/jHPwrfEulpY1iOYGuRaLkNRP1VKRF189vhc0gAoKcGLt8++UpKorKUaK0AQZXlJ2tM0Os=
dnssec-secured.com. 86000 IN A 172.27.171.106
dnssec-secured.com. 86000 IN RRSIG A 8 2 86000 20160324114814
20160223114814 24828 dnssec-secured.com.
tBh8QHPoFoUypROAOeIWZD0O4j4ugiwaJUrTVyFFA+j/l393QLSRbxkZvjqGCrsf3pwTvEYALL3cepLg3JMwwXeTZEb84EK/hKPbhYyuyOYm2es+yghiswIuCD1ejx1TXD5jD4c6UMwNf2LI4AlHCfWVclWA1yktOo2Rhi8Rjr0=
dnssec-secured.com. 86000 IN NS testns1.keenlogics.com.
dnssec-secured.com. 86000 IN NS testns2.keenlogics.com.
dnssec-secured.com. 86000 IN RRSIG NS 8 2 86000 20160324114814
20160223114814 24828 dnssec-secured.com.
wXfzEvQNd5hLz1p6XN9T6LdcXPfdaS2W7IOgrMb3hwKQbSul03772DU0TxenJBYrJIBiVlp8/BjP5k68+1nT09muPTA8YTEjajLWowVtcdlQBNBvHqst8xVoGiojBvRcxOgx1riGoYXVDX2WqIZTxZKI5T9c4OUxPypuyT9BCVc=
dnssec-secured.com. 3600 IN DNSKEY 256 3 8
AwEAAcKDdu9TSNxyuE4AxJBsSpLSlpmOjC3mSLIRL+O/ox+ip0kyu/kWia+ItyN8O+LQT7ZxPM0kgsPde5iNJm1oQzksYWqI9uWyN8Xg/z7+e8P7wXAU8hh+VsJ4CuKx0KitGgF8ywCBjvPBlXxW2wUqDZ/PuWS4pfDdPfJoGJOo+oBj
;{id = 24828 (zsk), size = 1024b}
dnssec-secured.com. 3600 IN DNSKEY 257 3 8
AwEAAedRPE4ShQYyimigcjM5hkfkkILqc5MsEl1IOMH4Etxs+d0IqKqHiHIxuCWWvLIdhuInl9P1JwrusURKW0D0s2nrRgP/vJix766UcojySuANOzC2LKQ7YWbze/0k9OdMlvadmAr9vcs8PeJJ0OLA9ZTA+JIFxqliDceSKmACQE0l
;{id = 22939 (ksk), size = 1024b}
dnssec-secured.com. 3600 IN RRSIG DNSKEY 8 2 3600 20160324114814
20160223114814 22939 dnssec-secured.com.
yu/DVtu/e8sQWSbOKqngObf9ePpg6F8g1uh88g1ddEcSuOfbAj1J2Gkgo2a8DCSLiQXnV7ehNL1mYQfChRRWTXraVc65RyngM/bF8RFQDaoqJ2Jo+uNe723haStX8JGirFqPd9MyNoBRccAg0Yrd7GEhM6aZjXbqpaOrFdoFfEA=
dnssec-secured.com. 3600 IN NSEC3PARAM 1 0 1 -
dnssec-secured.com. 3600 IN RRSIG NSEC3PARAM 8 2 3600 20160324114814
20160223114814 24828 dnssec-secured.com.
saBC+M4W+gUaa5a5zxUUFXliR71Xjmo+jX0FGUktRgZdufGAj/bCK66RaH/AANM6Spwhhf+snHti72iIZ5SvGTOWtiIMytgR2Q3dGeUGYwSN05Z/8jVklfj6drojV+ddn4xG6x9WvuFdvEpUJZeef5L9FrQr5ykuis6fqWExyBM=
31igt9vki6e04vr59abcnr3f5b6v00mq.dnssec-secured.com. 3600 IN NSEC3 1 0 1
- 84aemukrq7geiupopk0fbhfl9qdeuqtv A NS SOA RRSIG DNSKEY NSEC3PARAM
31igt9vki6e04vr59abcnr3f5b6v00mq.dnssec-secured.com. 3600 IN RRSIG NSEC3
8 3 3600 20160324114814 20160223114814 24828 dnssec-secured.com.
MqziEpAWoMjDjSdQdXHBVQAGmQ2v9U0d+8MpS5lxZ/HKi8X8dUH6e/R9cHgihQGW5UU0P4TXLailA3RzjotWOXg1EoSbMl3D8BXjdJeMK3hFdh48CFBbRGiIea9CR8gPGMH2q1q8L0yFpYdRUBccTnegq6h/YIhA0aEaQ3oVnD4=
84aemukrq7geiupopk0fbhfl9qdeuqtv.dnssec-secured.com. 3600 IN NSEC3 1 0 1
- eahu8v3vmje1b3cef5687r8dmm2i5bu7
84aemukrq7geiupopk0fbhfl9qdeuqtv.dnssec-secured.com. 3600 IN RRSIG NSEC3
8 3 3600 20160324114814 20160223114814 24828 dnssec-secured.com.
e9CqJcsIxieO0HOJ+Gi/a4m+d3eBBf7DSKdJLWDlpsVYSr7qMVCnFIvQoag16BewfcrakbYiUSZGHCG+lU0SUomLhAOpZkh2pxKFul+dUZ8eYIhk/qR7BgYt1Eejl1LELKVTk4XdS2wmJmdurWnREojCxy/6ZKQd98EHmB0px1Q=
sub2.sub1.dnssec-secured.com. 86000 IN A 172.27.171.106
sub2.sub1.dnssec-secured.com. 86000 IN RRSIG A 8 4 86000 20160324114814
20160223114814 24828 dnssec-secured.com.
u2okLkbbAL9w16qeOUo6q/Js3WPXbYFcMmQEu4sR34LYK5rKf0Xz8M1w54tN4By0v1gVflj9+LDytra1udHNTmNQpVRGxrBQArn2xDOjoAdgTSP4J2CCRPYWMHJeFxTNMCQkDUiM8dP1hhz23vPDLVmtVgIkBuy18lBm8hiZdzA=
eahu8v3vmje1b3cef5687r8dmm2i5bu7.dnssec-secured.com. 3600 IN NSEC3 1 0 1
- 31igt9vki6e04vr59abcnr3f5b6v00mq A RRSIG
eahu8v3vmje1b3cef5687r8dmm2i5bu7.dnssec-secured.com. 3600 IN RRSIG NSEC3
8 3 3600 20160324114814 20160223114814 24828 dnssec-secured.com.
g6rPoNVsmlthX3B2wvrc8gSJFhpKHvD67XpnlJwCeIPf0p0hy8IH3/Kd2d+E3FT8kVOOhsRFjFtLRpfYfzWTguasK6RoVD6r5+IdJvhwFI/ZMNP7gHm60rk5juuDvA2wpJdulyqv2GYFY21P0BsoeBQMJ4VZIbF/KNwthl/lE9Q=
####################
Best regards,
Sebastian
hosting.de GmbH
More information about the Pdns-dev
mailing list