[Pdns-users] Delegating a subdomain with DNSsec fails if child and parent zone are on same server

Niek niek-pdns at internl.net
Tue Apr 26 16:00:02 UTC 2011


Hi Folks,

In addition to the findings I communicated to this list in "DNSsec DS trouble
in single server TLD setup" on Thu Apr 21, I tried to delegate a subdomain with
DNSsec on PowerDNS Server (pdns-3.0-rc2.20110419.2176).

If both parent domain and child domain are hosted within the same instance of
PowerDNS (with mysql backend), I fail because PowerDNS refuses to serve me the
DS of the subzone.

I do not know if this is the normal way to go for this sort of thing, the
alternative is to put the child RR's into the parent zone.  This works fine,
but putting it all into the parent zone becomes very messy very fast.
As an ISP we have subzones with 40,000+ RR's, I'm not especially looking
forward to bundling those into 200,000+ RR zones.

Also, if you put al records in the parent zone, you will have a harder time
delegating reponsibilities for sub zones to e.g. another office. You can in
this scenario make two extra servers of course, but then you have to take care
of 4 servers.


Here's what I did:

domain_id 5 = parent (pre-exists)
domain_id 6 = child

Create subdomain
=========================================================================
INSERT INTO `powerdns`.`domains` (
`id` ,
`name` ,
`master` ,
`last_check` ,
`type` ,
`notified_serial` ,
`account`
)
VALUES (
NULL , 'sales.securename.nl', NULL , NULL , 'NATIVE', NULL , NULL
)


NS of subdomain in child zone
=========================================================================
INSERT INTO `powerdns`.`records` (
`id` ,
`domain_id` ,
`name` ,
`type` ,
`content` ,
`ttl` ,
`prio` ,
`change_date` ,
`ordername` ,
`auth`
)
VALUES (
NULL , '6', 'sales.securename.nl', 'NS', 'dnssec-auth-bis.mer-nm.internl.net', '600', '0', NULL , NULL , '1'
);


SOA of subdomain in child zone
=========================================================================
INSERT INTO `powerdns`.`records` (
`id` ,
`domain_id` ,
`name` ,
`type` ,
`content` ,
`ttl` ,
`prio` ,
`change_date` ,
`ordername` ,
`auth`
)
VALUES (
NULL , '6', 'sales.securename.nl', 'SOA', 'dnssec-auth-bis.mer-nm.internl.net blah.internl.net 2011042600 7200 3600 604800 3600', '600', '0', NULL , NULL , '1'
);


MX of subdomain in child zone
=========================================================================
INSERT INTO `powerdns`.`records` (
`id` ,
`domain_id` ,
`name` ,
`type` ,
`content` ,
`ttl` ,
`prio` ,
`change_date` ,
`ordername` ,
`auth`
)
VALUES (
NULL , '6', 'sales.securename.nl', 'MX', 'mail.sales.securename.nl', '600', '10', NULL , NULL , '1'
);


A of MX of subdomain in child zone
=========================================================================
INSERT INTO `powerdns`.`records` (
`id` ,
`domain_id` ,
`name` ,
`type` ,
`content` ,
`ttl` ,
`prio` ,
`change_date` ,
`ordername` ,
`auth`
)
VALUES (
NULL , '6', 'mail.sales.securename.nl', 'A', '1.2.3.4', '600', '0', NULL , NULL , '1'
);


Check
===========================================================================
dig +multiline ns sales.securename.nl @dnssec-auth-bis.mer-nm.internl.net    -> works
dig +multiline soa sales.securename.nl @dnssec-auth-bis.mer-nm.internl.net   -> works


DNSsec-ify
===========================================================================
pdnssec secure-zone sales.securename.nl
pdnssec set-nsec3 sales.securename.nl
pdnssec rectify-zone sales.securename.nl
pdnssec check-zone sales.securename.nl

pdnssec show-zone sales.securename.nl
DS = sales.securename.nl IN DS 42385 8 2 ec12ab2e160eab1681ea3031b2d72b04d61a58cc914ecb68a3a39a17d5eb0eb6

INSERT INTO `powerdns`.`records` (
`id` ,
`domain_id` ,
`name` ,
`type` ,
`content` ,
`ttl` ,
`prio` ,
`change_date` ,
`ordername` ,
`auth`
)
VALUES (
NULL , '5', 'sales.securename.nl', 'DS', '42385 8 2 ec12ab2e160eab1681ea3031b2d72b04d61a58cc914ecb68a3a39a17d5eb0eb6', '600', '0', NULL , NULL , '1'
);

pdnssec rectify-zone sales.securename.nl
pdnssec rectify-zone securename.nl

/etc/init.d/pdns restart

dig +multiline +dnssec dnskey sales.securename.nl @dnssec-auth-bis.mer-nm.internl.net  -> works
dig +multiline +dnssec soa sales.securename.nl @dnssec-auth-bis.mer-nm.internl.net     -> works
dig +multiline +dnssec ns sales.securename.nl @dnssec-auth-bis.mer-nm.internl.net      -> works
dig +multiline +dnssec ds sales.securename.nl @dnssec-auth-bis.mer-nm.internl.net      -> Fails, only NSEC3 output

Which means that validation fails.


Any remarks or suggestions?

BTW, this setup no longer exists, but I can re-create it if needed.



Kind regards,
-- Niek
----------------------------------------------------------------



More information about the Pdns-users mailing list