[Pdns-users] DNSsec DS trouble in single server TLD setup
Niek
niek-pdns at internl.net
Thu Apr 21 09:13:00 UTC 2011
Hi folks,
Has anybody tried to create their own DNSsec enabled TLD with PowerDNS Server?
I did, but I only succeeded when using a different server for the TLD and for
the child zones under the TLD.
Couldn't get it to work with the TLD and the child zone on the same server.
I was wondering whether this could be a bug in PowerDNS Server or whether I'm
maybe trying to do something the wrong way. (And I was wondering if it also
affects subdomains on the same server as the parent domain, I didn't
investigate)
(all versions: pdns-3.0-rc2.20110419.2176, all tests performed after
rectify-zone, check-zone and pdns restart)
The dual-server setup works fine (with one glitch I'll mention later):
Server_A (The TLD server):
===========================================================================
mysql> select * from domains;
+-----+---------------+--------+...+--------+-----------------+---------+
| id | name | master |...| type | notified_serial | account |
+-----+---------------+--------+...+--------+-----------------+---------+
| 666 | rulez | NULL |...| NATIVE | NULL | NULL |
| 668 | dnssec.rulez | NULL |...| NATIVE | NULL | NULL |
+-----+---------------+--------+...+--------+-----------------+---------+
mysql> select * from records where type='DS'\G
*************************** 1. row ***************************
id: 62
domain_id: 666
name: dnssec.rulez
type: DS
content: 28024 8 2 e56da3afaf08e286...<snip to fit>...086b35e338de29e96
ttl: 600
prio: 0
change_date: NULL
ordername: hqiffkq5vs8fu9v6tb5sjlb2pqg8vt70
auth: 1
===========================================================================
Server_B (The child zone server):
===========================================================================
mysql> select * from domains;
+----+---------------+--------+...+--------+-----------------+---------+
| id | name | master |...| type | notified_serial | account |
+----+---------------+--------+...+--------+-----------------+---------+
| 2 | dnssec.rulez | NULL |...| NATIVE | NULL | NULL |
+----+---------------+--------+...+--------+-----------------+---------+
mysql> select * from records where type='SOA'\G
*************************** 1. row ***************************
id: 5
domain_id: 2
name: dnssec.rulez
type: SOA
content: ns.dnssec.rulez. blah.internl.net. 2011041100 7200 3600 604800 3600
ttl: 600
prio: 0
change_date: NULL
ordername: hqiffkq5vs8fu9v6tb5sjlb2pqg8vt70
auth: 1
===========================================================================
dig +multiline +dnssec +cd -t DS dnssec.rulez @Server_A
;; ANSWER SECTION:
dnssec.rulez. 600 IN RRSIG DS 8 2 600 20110428000000 (
20110414000000 32475 rulez.
TAzuzUcllHszSsuHNacWUb8vPt4BgKOSJr70rmrZksQl
qt+6Fcth+F3b+DICFj+duqUxApJDeSj0cwHkm6bbfkbx
ToJayi6aDl82eSujkWreX7cK9dXxk7ncEtcAGAtQgCwa
Tn9gU5J060jym5FQO5zczON6qfAi5btoOp+1eEc= )
dnssec.rulez. 600 IN DS 28024 8 2 (
E56DA3AFAF08E2863D50E07FC7CFDB609B7DFDC8FB81
086B33555E338DE29E96 )
You see, the server answers correctly and the record is signed by the right key
(and I verified it DNSsec-validates fine, very happy with that).
The glitch: 'rectify-zone rulez', in this dual server setup, sets DS records to
auth=0, which is incorrect according to the documentation: "Do note that the DS
record for a secure delegation should be authoritative!". Mind you: 'check-zone
rulez' detects this problem, and it only happens if the child zone is not
present on the same server, if it is present, auth stays 1.
Then the single server setup, that doesn't work for me:
Server_A (TLD server & zone server):
==========================================================================
mysql> select * from domains;
+----+---------------+--------+...+--------+-----------------+---------+
| id | name | master |...| type | notified_serial | account |
+----+---------------+--------+...+--------+-----------------+---------+
| 7 | sucks | NULL |...| NATIVE | NULL | NULL |
| 8 | rsi.sucks | NULL |...| NATIVE | NULL | NULL |
+----+---------------+--------+...+--------+-----------------+---------+
mysql> select * from records where type='DS'\G
*************************** 1. row ***************************
id: 32
domain_id: 7
name: rsi.sucks
type: DS
content: 52019 8 2 5a078b6143552...<snip to fit>...e1082eb1ee9e3daa7bb
ttl: 600
prio: 0
change_date: NULL
ordername: 6pmeqp0egqdhf7ikq7iasamtjd270m1c
auth: 1
mysql> select * from records where type='SOA'\G
*************************** 1. row ***************************
id: 29
domain_id: 8
name: rsi.sucks
type: SOA
content: ns.rsi.sucks. blah.internl.net. 2011041900 7200 3600 604800 3600
ttl: 600
prio: 0
change_date: NULL
ordername: 6pmeqp0egqdhf7ikq7iasamtjd270m1c
auth: 1
===========================================================================
In this situation 'dig +multiline +dnssec +cd -t DS rsi.sucks @Server_A'
doesn't give an ANSWER SECTION, but it does give you an AUTHORITY SECTION whith
NSEC3 records:
;; AUTHORITY SECTION:
rsi.sucks. 600 IN SOA ns.rsi.sucks. blah.internl.net. (
2011041900 ; serial
7200 ; refresh (2 hours)
3600 ; retry (1 hour)
604800 ; expire (1 week)
3600 ; minimum (1 hour)
)
rsi.sucks. 600 IN RRSIG SOA 8 2 600 20110505000000 (
20110421000000 4980 rsi.sucks.
LVoTvxQ03R1vl7E0miMHuYj91BBp39lGiQ4BcrZIcI6s
xTYz4nlpaWmaG8GJ9qvtzWy3LZY5h26EfBYILghWzGWn
IvNe6oA6JGm/fgehkz0wws3moPgEqK1xUs83sY5pHia+
ykQf2sIyKFTDQpvpf79Cvis87Z3pnnmd6Y7I4RI= )
6pm....rsi.sucks. 600 IN NSEC3 1 1 1 AB ... NS SOA RRSIG DNSKEY NSEC3PARAM
6pm....rsi.sucks. 600 IN RRSIG NSEC3 8 3 600 20110505000000 (
20110421000000 4980 rsi.sucks.
crSS/90onlzAZng+xqfDWgGlP+Ywwu8ekApPLEP/sn+k
LgAOhsey2BWfICt87mhAk9DXJ5xfSsxnH6zIXjRaM+A0
Ee6o7XcJy/sDDDqnvfEFlgicqsz0Fk1VV13/dVOfxyLQ
qZKEUkWsA1rvZTE27f3dcdTd3dGt5fRZHAJY6pQ= )
kou....rsi.sucks. 600 IN NSEC3 1 1 1 AB ... A RRSIG
kou....rsi.sucks. 600 IN RRSIG NSEC3 8 3 600 20110505000000 (
20110421000000 4980 rsi.sucks.
OTwe32EJ4rNaVrU4DooVH1e49fKW75z0csNkaDUmj3+b
S78e99w+e5yIpXtOhVYD0emm1XMJasNXGeZOEi03CTbr
AIHH3DJuxURLNU4QXNtEvLq2cz8ALRT+lqCc/v1yl+bN
9dNykQxhNasqZCphMkTqr98grSZeG6g8bHuKz2M= )
In case you are wondering: if I change the domain_id of the DS record to the id
of the child zone, PowerDNS does give you the DS record, but it is signed with
the wrong key (the child zone key):
;; ANSWER SECTION:
rsi.sucks. 600 IN RRSIG DS 8 2 600 20110505000000 (
20110421000000 4980 rsi.sucks.
aBWz2uQwGBzx6rV3TxKYW1XVpffHOrNVWNQ11/HxPnxH
7wunuB0fhOJ/m4aSLv6/pbRsGsgGzLRG/Yfv339CJrnU
A+bLgNsdTjAnLMfwiecN4TpGJPSp3TQbebS1ZUACSyMF
PUF+gFSqQ7vDA28iydKST9CHkQwD03IjPHYfvXg= )
rsi.sucks. 600 IN DS 52019 8 2 (
5A078B614331E795527F8A2E1082EEC9EA4EACCC0C26
AB5D2C5B1EE9E3DAA7BB )
Any suggestions?
Kind regards,
Niek
More information about the Pdns-users
mailing list