[Pdns-dev] implement GSQLBackend::getDirectNSECx

labs at hosting.de labs at hosting.de
Tue Feb 23 12:18:32 UTC 2016


Hello Peter,

> Can you clarify what you mean by empty traversals? What is your full 
> procedure for serving a lens-signed zone file with PowerDNS today?

following an example of a zone signed by ldns. As you can see, it 
contains not only RRSIG, but also 3 NSEC3 and the NSEC3PARAM record. In 
order to publish the zone with pdns we have to remove these 4 records 
from the zone. Then we have to take the content of the NSEC3PARAM record 
and add it to domainmetadata as a 'NSEC3PARAM' entry, along with a 
'PRESIGNED' entry. The zone contains one record at its apex and one in 
sub2.sub1.dnssec-secured.com, but none in sub1.dnssec-secured.com, so 
next we have to create a record of type NULL for 
sub1.dnssec-secured.com, the empty traversal record. After that we have 
to determine the ordername for the A, NS, SOA and the empty traversal 
records, and have to remember to set the ordername to NULL in our RRSIG 
and DNSKEY records (but to an empty string, not NULL, for records on the 
apex if we sign with NSEC instead of NSEC3)

If instead it would be possible to use the NSEC(3) and NSEC3PARAM 
records as ldns creates them we wouldn't have to do all this. We could 
just add the records to our database as they are and ignore the 
ordername and metadata. This would save us work, would make our system 
more robust and would be more secure when updating pdns.


####################

dnssec-secured.com. 172800 IN SOA testns1.keenlogics.com. 
admin.dnssec-secured.com. 2016022302 86400 7200 3600000 3600

dnssec-secured.com. 172800 IN RRSIG SOA 8 2 172800 20160324114814 
20160223114814 24828 dnssec-secured.com. 
RhmWWAJetR0cOLAVN2L8rMs/rECWpHCox0NCV6FR3VR9thDlrAPLqh5ImCQAg+LxlFq5Xensa2aQU8UvWVyJUJkt6tYHgP6cyDitq/jHPwrfEulpY1iOYGuRaLkNRP1VKRF189vhc0gAoKcGLt8++UpKorKUaK0AQZXlJ2tM0Os=

dnssec-secured.com. 86000 IN A 172.27.171.106

dnssec-secured.com. 86000 IN RRSIG A 8 2 86000 20160324114814 
20160223114814 24828 dnssec-secured.com. 
tBh8QHPoFoUypROAOeIWZD0O4j4ugiwaJUrTVyFFA+j/l393QLSRbxkZvjqGCrsf3pwTvEYALL3cepLg3JMwwXeTZEb84EK/hKPbhYyuyOYm2es+yghiswIuCD1ejx1TXD5jD4c6UMwNf2LI4AlHCfWVclWA1yktOo2Rhi8Rjr0=

dnssec-secured.com. 86000 IN NS testns1.keenlogics.com.

dnssec-secured.com. 86000 IN NS testns2.keenlogics.com.

dnssec-secured.com. 86000 IN RRSIG NS 8 2 86000 20160324114814 
20160223114814 24828 dnssec-secured.com. 
wXfzEvQNd5hLz1p6XN9T6LdcXPfdaS2W7IOgrMb3hwKQbSul03772DU0TxenJBYrJIBiVlp8/BjP5k68+1nT09muPTA8YTEjajLWowVtcdlQBNBvHqst8xVoGiojBvRcxOgx1riGoYXVDX2WqIZTxZKI5T9c4OUxPypuyT9BCVc=

dnssec-secured.com. 3600 IN DNSKEY 256 3 8 
AwEAAcKDdu9TSNxyuE4AxJBsSpLSlpmOjC3mSLIRL+O/ox+ip0kyu/kWia+ItyN8O+LQT7ZxPM0kgsPde5iNJm1oQzksYWqI9uWyN8Xg/z7+e8P7wXAU8hh+VsJ4CuKx0KitGgF8ywCBjvPBlXxW2wUqDZ/PuWS4pfDdPfJoGJOo+oBj 
;{id = 24828 (zsk), size = 1024b}

dnssec-secured.com. 3600 IN DNSKEY 257 3 8 
AwEAAedRPE4ShQYyimigcjM5hkfkkILqc5MsEl1IOMH4Etxs+d0IqKqHiHIxuCWWvLIdhuInl9P1JwrusURKW0D0s2nrRgP/vJix766UcojySuANOzC2LKQ7YWbze/0k9OdMlvadmAr9vcs8PeJJ0OLA9ZTA+JIFxqliDceSKmACQE0l 
;{id = 22939 (ksk), size = 1024b}

dnssec-secured.com. 3600 IN RRSIG DNSKEY 8 2 3600 20160324114814 
20160223114814 22939 dnssec-secured.com. 
yu/DVtu/e8sQWSbOKqngObf9ePpg6F8g1uh88g1ddEcSuOfbAj1J2Gkgo2a8DCSLiQXnV7ehNL1mYQfChRRWTXraVc65RyngM/bF8RFQDaoqJ2Jo+uNe723haStX8JGirFqPd9MyNoBRccAg0Yrd7GEhM6aZjXbqpaOrFdoFfEA=

dnssec-secured.com. 3600 IN NSEC3PARAM 1 0 1 -

dnssec-secured.com. 3600 IN RRSIG NSEC3PARAM 8 2 3600 20160324114814 
20160223114814 24828 dnssec-secured.com. 
saBC+M4W+gUaa5a5zxUUFXliR71Xjmo+jX0FGUktRgZdufGAj/bCK66RaH/AANM6Spwhhf+snHti72iIZ5SvGTOWtiIMytgR2Q3dGeUGYwSN05Z/8jVklfj6drojV+ddn4xG6x9WvuFdvEpUJZeef5L9FrQr5ykuis6fqWExyBM=

31igt9vki6e04vr59abcnr3f5b6v00mq.dnssec-secured.com. 3600 IN NSEC3 1 0 1 
-  84aemukrq7geiupopk0fbhfl9qdeuqtv A NS SOA RRSIG DNSKEY NSEC3PARAM

31igt9vki6e04vr59abcnr3f5b6v00mq.dnssec-secured.com. 3600 IN RRSIG NSEC3 
8 3 3600 20160324114814 20160223114814 24828 dnssec-secured.com. 
MqziEpAWoMjDjSdQdXHBVQAGmQ2v9U0d+8MpS5lxZ/HKi8X8dUH6e/R9cHgihQGW5UU0P4TXLailA3RzjotWOXg1EoSbMl3D8BXjdJeMK3hFdh48CFBbRGiIea9CR8gPGMH2q1q8L0yFpYdRUBccTnegq6h/YIhA0aEaQ3oVnD4=

84aemukrq7geiupopk0fbhfl9qdeuqtv.dnssec-secured.com. 3600 IN NSEC3 1 0 1 
-  eahu8v3vmje1b3cef5687r8dmm2i5bu7

84aemukrq7geiupopk0fbhfl9qdeuqtv.dnssec-secured.com. 3600 IN RRSIG NSEC3 
8 3 3600 20160324114814 20160223114814 24828 dnssec-secured.com. 
e9CqJcsIxieO0HOJ+Gi/a4m+d3eBBf7DSKdJLWDlpsVYSr7qMVCnFIvQoag16BewfcrakbYiUSZGHCG+lU0SUomLhAOpZkh2pxKFul+dUZ8eYIhk/qR7BgYt1Eejl1LELKVTk4XdS2wmJmdurWnREojCxy/6ZKQd98EHmB0px1Q=

sub2.sub1.dnssec-secured.com. 86000 IN A 172.27.171.106

sub2.sub1.dnssec-secured.com. 86000 IN RRSIG A 8 4 86000 20160324114814 
20160223114814 24828 dnssec-secured.com. 
u2okLkbbAL9w16qeOUo6q/Js3WPXbYFcMmQEu4sR34LYK5rKf0Xz8M1w54tN4By0v1gVflj9+LDytra1udHNTmNQpVRGxrBQArn2xDOjoAdgTSP4J2CCRPYWMHJeFxTNMCQkDUiM8dP1hhz23vPDLVmtVgIkBuy18lBm8hiZdzA=

eahu8v3vmje1b3cef5687r8dmm2i5bu7.dnssec-secured.com. 3600 IN NSEC3 1 0 1 
-  31igt9vki6e04vr59abcnr3f5b6v00mq A RRSIG

eahu8v3vmje1b3cef5687r8dmm2i5bu7.dnssec-secured.com. 3600 IN RRSIG NSEC3 
8 3 3600 20160324114814 20160223114814 24828 dnssec-secured.com. 
g6rPoNVsmlthX3B2wvrc8gSJFhpKHvD67XpnlJwCeIPf0p0hy8IH3/Kd2d+E3FT8kVOOhsRFjFtLRpfYfzWTguasK6RoVD6r5+IdJvhwFI/ZMNP7gHm60rk5juuDvA2wpJdulyqv2GYFY21P0BsoeBQMJ4VZIbF/KNwthl/lE9Q=
‚Äč
####################


Best regards,

Sebastian
hosting.de GmbH



More information about the Pdns-dev mailing list