[Pdns-users] pdns/gmysql/slave for signed zone: records being mangled

Maik Zumstrull maik at zumstrull.net
Tue Jan 25 11:56:06 UTC 2011

On Tue, Jan 25, 2011 at 09:33, Mark Huizer <xaa+powerdns at dohd.org> wrote:

> My understanding is that the processing of dnssec related stuff is done on
> the master (who does the signing work of records and nsec etc), and the
> client (who validates the signatures with the chain from root to final
> nameserver, etc, with some sidestepping where necessary to have a decent
> anchor point to start your validating).
> A slave server should do nothing but just serving the records, right?

True, but your understanding is incomplete. DNSsec creates several
cases of implied records, that is, records the client didn't ask for,
but that should be delivered with the answer because they are required
for validation. In some cases, the client can compensate by explicitly
asking for the records it needs (e.g. RRSIG), but this is inefficient,
and in some cases (NSEC, NSEC3), the client can't know what to ask
for, since the owner name of the required records is related to the
queried owner name in a way only someone with access to the entire
zone content can resolve.

Authoritative DNS servers need to be somewhat DNSsec-aware even when
serving a presigned zone.

> (master/slave relation is already based on trust, and clients validate
> anyway). That's what we did in the BIND case, and that's what I expected to
> do in the PowerDNS case as well.

Presumably, your BIND version already implements the required parts of
DNSsec. PowerDNS 2.9.* does not.

More information about the Pdns-users mailing list