[Pdns-users] DNSsec DS trouble in single server TLD setup

Niek niek-pdns at internl.net
Thu Apr 21 09:13:00 UTC 2011


Hi folks,

Has anybody tried to create their own DNSsec enabled TLD with PowerDNS Server?

I did, but I only succeeded when using a different server for the TLD and for
the child zones under the TLD.

Couldn't get it to work with the TLD and the child zone on the same server.
I was wondering whether this could be a bug in PowerDNS Server or whether I'm
maybe trying to do something the wrong way. (And I was wondering if it also
affects subdomains on the same server as the parent domain, I didn't
investigate)

(all versions: pdns-3.0-rc2.20110419.2176, all tests performed after
rectify-zone, check-zone and pdns restart)

The dual-server setup works fine (with one glitch I'll mention later):

 Server_A (The TLD server):
 ===========================================================================
 mysql> select * from domains;
 +-----+---------------+--------+...+--------+-----------------+---------+
 | id  | name          | master |...| type   | notified_serial | account |
 +-----+---------------+--------+...+--------+-----------------+---------+
 | 666 | rulez         | NULL   |...| NATIVE |            NULL | NULL    |
 | 668 | dnssec.rulez  | NULL   |...| NATIVE |            NULL | NULL    |
 +-----+---------------+--------+...+--------+-----------------+---------+

 mysql> select * from records where type='DS'\G
 *************************** 1. row ***************************
          id: 62
   domain_id: 666
        name: dnssec.rulez
        type: DS
     content: 28024 8 2 e56da3afaf08e286...<snip to fit>...086b35e338de29e96
         ttl: 600
        prio: 0
 change_date: NULL
   ordername: hqiffkq5vs8fu9v6tb5sjlb2pqg8vt70
        auth: 1
 ===========================================================================


 Server_B (The child zone server):
 ===========================================================================
 mysql> select * from domains;
 +----+---------------+--------+...+--------+-----------------+---------+
 | id | name          | master |...| type   | notified_serial | account |
 +----+---------------+--------+...+--------+-----------------+---------+
 |  2 | dnssec.rulez  | NULL   |...| NATIVE |            NULL | NULL    |
 +----+---------------+--------+...+--------+-----------------+---------+

 mysql> select * from records where type='SOA'\G
 *************************** 1. row ***************************
          id: 5
   domain_id: 2
        name: dnssec.rulez
        type: SOA
   content: ns.dnssec.rulez. blah.internl.net. 2011041100 7200 3600 604800 3600
         ttl: 600
        prio: 0
 change_date: NULL
   ordername: hqiffkq5vs8fu9v6tb5sjlb2pqg8vt70
        auth: 1
 ===========================================================================

 dig +multiline +dnssec +cd -t DS dnssec.rulez @Server_A

 ;; ANSWER SECTION:
 dnssec.rulez.           600 IN RRSIG DS 8 2 600 20110428000000 (
                                20110414000000 32475 rulez.
                                TAzuzUcllHszSsuHNacWUb8vPt4BgKOSJr70rmrZksQl 
                                qt+6Fcth+F3b+DICFj+duqUxApJDeSj0cwHkm6bbfkbx
                                ToJayi6aDl82eSujkWreX7cK9dXxk7ncEtcAGAtQgCwa
                                Tn9gU5J060jym5FQO5zczON6qfAi5btoOp+1eEc= )
 dnssec.rulez.           600 IN DS 28024 8 2 (
                                E56DA3AFAF08E2863D50E07FC7CFDB609B7DFDC8FB81
                                086B33555E338DE29E96 )


You see, the server answers correctly and the record is signed by the right key
(and I verified it DNSsec-validates fine, very happy with that).

The glitch: 'rectify-zone rulez', in this dual server setup, sets DS records to
auth=0, which is incorrect according to the documentation: "Do note that the DS
record for a secure delegation should be authoritative!". Mind you: 'check-zone
rulez' detects this problem, and it only happens if the child zone is not
present on the same server, if it is present, auth stays 1.



Then the single server setup, that doesn't work for me:

 Server_A (TLD server & zone server):
 ==========================================================================
 mysql> select * from domains;
 +----+---------------+--------+...+--------+-----------------+---------+
 | id | name          | master |...| type   | notified_serial | account |
 +----+---------------+--------+...+--------+-----------------+---------+
 |  7 | sucks         | NULL   |...| NATIVE |            NULL | NULL    |
 |  8 | rsi.sucks     | NULL   |...| NATIVE |            NULL | NULL    |
 +----+---------------+--------+...+--------+-----------------+---------+

 mysql> select * from records where type='DS'\G
 *************************** 1. row ***************************
          id: 32
   domain_id: 7
        name: rsi.sucks
        type: DS
     content: 52019 8 2 5a078b6143552...<snip to fit>...e1082eb1ee9e3daa7bb
         ttl: 600
        prio: 0
 change_date: NULL
   ordername: 6pmeqp0egqdhf7ikq7iasamtjd270m1c
        auth: 1

 mysql> select * from records where type='SOA'\G
 *************************** 1. row ***************************
          id: 29
   domain_id: 8
        name: rsi.sucks
        type: SOA
   content: ns.rsi.sucks. blah.internl.net. 2011041900 7200 3600 604800 3600
         ttl: 600
        prio: 0
 change_date: NULL
   ordername: 6pmeqp0egqdhf7ikq7iasamtjd270m1c
        auth: 1
 ===========================================================================


In this situation 'dig +multiline +dnssec +cd -t DS rsi.sucks @Server_A'
doesn't give an ANSWER SECTION, but it does give you an AUTHORITY SECTION whith
NSEC3 records:

 ;; AUTHORITY SECTION:
 rsi.sucks.             600 IN SOA ns.rsi.sucks. blah.internl.net. (
                                2011041900 ; serial
                                7200       ; refresh (2 hours)
                                3600       ; retry (1 hour)
                                604800     ; expire (1 week)
                                3600       ; minimum (1 hour)
                                )
 rsi.sucks.             600 IN RRSIG SOA 8 2 600 20110505000000 (
                                20110421000000 4980 rsi.sucks.
                                LVoTvxQ03R1vl7E0miMHuYj91BBp39lGiQ4BcrZIcI6s
                                xTYz4nlpaWmaG8GJ9qvtzWy3LZY5h26EfBYILghWzGWn
                                IvNe6oA6JGm/fgehkz0wws3moPgEqK1xUs83sY5pHia+
                                ykQf2sIyKFTDQpvpf79Cvis87Z3pnnmd6Y7I4RI= )
 6pm....rsi.sucks. 600  IN NSEC3 1 1 1 AB ... NS SOA RRSIG DNSKEY NSEC3PARAM
 6pm....rsi.sucks. 600  IN RRSIG NSEC3 8 3 600 20110505000000 (
                                20110421000000 4980 rsi.sucks.
                                crSS/90onlzAZng+xqfDWgGlP+Ywwu8ekApPLEP/sn+k
                                LgAOhsey2BWfICt87mhAk9DXJ5xfSsxnH6zIXjRaM+A0
                                Ee6o7XcJy/sDDDqnvfEFlgicqsz0Fk1VV13/dVOfxyLQ
                                qZKEUkWsA1rvZTE27f3dcdTd3dGt5fRZHAJY6pQ= )
 kou....rsi.sucks. 600        IN NSEC3 1 1 1 AB ... A RRSIG
 kou....rsi.sucks. 600        IN RRSIG NSEC3 8 3 600 20110505000000 (
                                20110421000000 4980 rsi.sucks.
                                OTwe32EJ4rNaVrU4DooVH1e49fKW75z0csNkaDUmj3+b
                                S78e99w+e5yIpXtOhVYD0emm1XMJasNXGeZOEi03CTbr
                                AIHH3DJuxURLNU4QXNtEvLq2cz8ALRT+lqCc/v1yl+bN
                                9dNykQxhNasqZCphMkTqr98grSZeG6g8bHuKz2M= )

In case you are wondering: if I change the domain_id of the DS record to the id
of the child zone, PowerDNS does give you the DS record, but it is signed with
the wrong key (the child zone key):

 ;; ANSWER SECTION:
 rsi.sucks.              600 IN RRSIG DS 8 2 600 20110505000000 (
                                20110421000000 4980 rsi.sucks.
                                aBWz2uQwGBzx6rV3TxKYW1XVpffHOrNVWNQ11/HxPnxH
                                7wunuB0fhOJ/m4aSLv6/pbRsGsgGzLRG/Yfv339CJrnU
                                A+bLgNsdTjAnLMfwiecN4TpGJPSp3TQbebS1ZUACSyMF
                                PUF+gFSqQ7vDA28iydKST9CHkQwD03IjPHYfvXg= )
 rsi.sucks.              600 IN DS 52019 8 2 (
                                5A078B614331E795527F8A2E1082EEC9EA4EACCC0C26
                                AB5D2C5B1EE9E3DAA7BB )


Any suggestions?

Kind regards,
Niek





More information about the Pdns-users mailing list