[Pdns-users] pdns/gmysql/slave for signed zone: records being mangled

Mark Huizer xaa+powerdns at dohd.org
Tue Jan 25 08:33:30 UTC 2011

On 1/25/2011 8:32, bert hubert wrote:
> After some off-list discussion, we found that Mark runs 2.9.22, which indeed
> has 'padding' issues on base64 RRSIG records.
> In any case, slaving a DNSSEC zone to 2.9.22 is of little use since while it
> can serve DNSSEC records (albeit slightly damaged as above), 2.9.22 does not
> do any DNSSEC processing.
> Mark, you may have a (lot) more success with the PowerDNSSEC prereleases as
> actively being developed on http://www.powerdnssec.org.

Just for my understanding (dnssec is on my seriously-dig-into-it-further list, and I have to live with basic knowledge of dnssec at the moment) :-)

My understanding is that the processing of dnssec related stuff is done on the master (who does the signing work of records and nsec etc), and the client (who validates the signatures with the chain from root to final nameserver, etc, with some sidestepping where necessary to have a decent anchor point to start your validating).

A slave server should do nothing but just serving the records, right? (master/slave relation is already based on trust, and clients validate anyway). That's what we did in the BIND case, and that's what I expected to do in the PowerDNS case as well.

Regarding the "2.9.22 has padding issues with base64", is there anything a mere mortal like me can do? It's the most current version, I haven't checked the snapshots so far to see if anything is done there. At least I have some useful terms to search on now :-)
> Good luck!

Thanks :-)


More information about the Pdns-users mailing list