[Pdns-users] Delegating a subdomain with DNSsec fails if child and parent zone are on same server

Niek niek-pdns at internl.net
Wed Apr 27 15:34:38 UTC 2011 

Hi Folks,

I can confirm this problem got fixed in build 2181.

This build also fixes "[Pdns-users] DNSsec DS trouble in single server TLD setup".


On Tue, Apr 26, 2011 at 06:00:02PM +0200, Niek wrote:
> Hi Folks,
> 
> In addition to the findings I communicated to this list in "DNSsec DS trouble
> in single server TLD setup" on Thu Apr 21, I tried to delegate a subdomain with
> DNSsec on PowerDNS Server (pdns-3.0-rc2.20110419.2176).
> 
> If both parent domain and child domain are hosted within the same instance of
> PowerDNS (with mysql backend), I fail because PowerDNS refuses to serve me the
> DS of the subzone.
> 
> I do not know if this is the normal way to go for this sort of thing, the
> alternative is to put the child RR's into the parent zone.  This works fine,
> but putting it all into the parent zone becomes very messy very fast.
> As an ISP we have subzones with 40,000+ RR's, I'm not especially looking
> forward to bundling those into 200,000+ RR zones.
> 
> Also, if you put al records in the parent zone, you will have a harder time
> delegating reponsibilities for sub zones to e.g. another office. You can in
> this scenario make two extra servers of course, but then you have to take care
> of 4 servers.
> 
> 
> Here's what I did:
> 
> domain_id 5 = parent (pre-exists)
> domain_id 6 = child
> 
> Create subdomain
> =========================================================================
> INSERT INTO `powerdns`.`domains` (
> `id` ,
> `name` ,
> `master` ,
> `last_check` ,
> `type` ,
> `notified_serial` ,
> `account`
> )
> VALUES (
> NULL , 'sales.securename.nl', NULL , NULL , 'NATIVE', NULL , NULL
> )
> 
> 
> NS of subdomain in child zone
> =========================================================================
> INSERT INTO `powerdns`.`records` (
> `id` ,
> `domain_id` ,
> `name` ,
> `type` ,
> `content` ,
> `ttl` ,
> `prio` ,
> `change_date` ,
> `ordername` ,
> `auth`
> )
> VALUES (
> NULL , '6', 'sales.securename.nl', 'NS', 'dnssec-auth-bis.mer-nm.internl.net', '600', '0', NULL , NULL , '1'
> );
> 
> 
> SOA of subdomain in child zone
> =========================================================================
> INSERT INTO `powerdns`.`records` (
> `id` ,
> `domain_id` ,
> `name` ,
> `type` ,
> `content` ,
> `ttl` ,
> `prio` ,
> `change_date` ,
> `ordername` ,
> `auth`
> )
> VALUES (
> NULL , '6', 'sales.securename.nl', 'SOA', 'dnssec-auth-bis.mer-nm.internl.net blah.internl.net 2011042600 7200 3600 604800 3600', '600', '0', NULL , NULL , '1'
> );
> 
> 
> MX of subdomain in child zone
> =========================================================================
> INSERT INTO `powerdns`.`records` (
> `id` ,
> `domain_id` ,
> `name` ,
> `type` ,
> `content` ,
> `ttl` ,
> `prio` ,
> `change_date` ,
> `ordername` ,
> `auth`
> )
> VALUES (
> NULL , '6', 'sales.securename.nl', 'MX', 'mail.sales.securename.nl', '600', '10', NULL , NULL , '1'
> );
> 
> 
> A of MX of subdomain in child zone
> =========================================================================
> INSERT INTO `powerdns`.`records` (
> `id` ,
> `domain_id` ,
> `name` ,
> `type` ,
> `content` ,
> `ttl` ,
> `prio` ,
> `change_date` ,
> `ordername` ,
> `auth`
> )
> VALUES (
> NULL , '6', 'mail.sales.securename.nl', 'A', '1.2.3.4', '600', '0', NULL , NULL , '1'
> );
> 
> 
> Check
> ===========================================================================
> dig +multiline ns sales.securename.nl @dnssec-auth-bis.mer-nm.internl.net    -> works
> dig +multiline soa sales.securename.nl @dnssec-auth-bis.mer-nm.internl.net   -> works
> 
> 
> DNSsec-ify
> ===========================================================================
> pdnssec secure-zone sales.securename.nl
> pdnssec set-nsec3 sales.securename.nl
> pdnssec rectify-zone sales.securename.nl
> pdnssec check-zone sales.securename.nl
> 
> pdnssec show-zone sales.securename.nl
> DS = sales.securename.nl IN DS 42385 8 2 ec12ab2e160eab1681ea3031b2d72b04d61a58cc914ecb68a3a39a17d5eb0eb6
> 
> INSERT INTO `powerdns`.`records` (
> `id` ,
> `domain_id` ,
> `name` ,
> `type` ,
> `content` ,
> `ttl` ,
> `prio` ,
> `change_date` ,
> `ordername` ,
> `auth`
> )
> VALUES (
> NULL , '5', 'sales.securename.nl', 'DS', '42385 8 2 ec12ab2e160eab1681ea3031b2d72b04d61a58cc914ecb68a3a39a17d5eb0eb6', '600', '0', NULL , NULL , '1'
> );
> 
> pdnssec rectify-zone sales.securename.nl
> pdnssec rectify-zone securename.nl
> 
> /etc/init.d/pdns restart
> 
> dig +multiline +dnssec dnskey sales.securename.nl @dnssec-auth-bis.mer-nm.internl.net  -> works
> dig +multiline +dnssec soa sales.securename.nl @dnssec-auth-bis.mer-nm.internl.net     -> works
> dig +multiline +dnssec ns sales.securename.nl @dnssec-auth-bis.mer-nm.internl.net      -> works
> dig +multiline +dnssec ds sales.securename.nl @dnssec-auth-bis.mer-nm.internl.net      -> Fails, only NSEC3 output
> 
> Which means that validation fails.
> 
> 
> Any remarks or suggestions?
> 
> BTW, this setup no longer exists, but I can re-create it if needed.
> 
> 
> 
> Kind regards,
> -- Niek
> ----------------------------------------------------------------
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
> 

Grtz,
-- Niek
----------------------------------------------------------------

More information about the Pdns-users mailing list