[Pdns-users] New PowerDNS Authoritative Server snapshot with DNSSEC + Release Notes

bert hubert bert.hubert at netherlabs.nl
Fri Jan 28 20:42:24 UTC 2011 

Hi Leen,

Thanks for testing the prerelease!

On Fri, Jan 28, 2011 at 11:14:43AM +0100, Leen Besselink wrote:

> First problem: what do I need to specify at the launch parameter ?:
> sqlite or sqlite3 ?

I updated the documentation to this efffect:

"To benefit from this mode, include at least one database-based backend in
 the 'launch' statement.  The Generic SQLite backend version 3 (gsqlite3)
 probably complements BIND mode best, since it does not require a database
 server process."

> I checked pdns_server --list-modules
> gsqlite or gsqlite3
> I guess if I use the 'sqlite3' command to create the database I'll use
> gsqlite3.

Good thinking!

> As I understand it, it is possible to use bind-zones and sqlite3 to
> store the keys.

Indeed.

> So I ran the commands:
> $pdnssec secure-zone test.net
> This should not happen, still no key!

I've updated this error message so it now says:

"Failed to secure zone - if you run with the BIND backend, make sure to also
 launch another backend which supports storage of DNSSEC settings.
 In addition, add 'blah.nl' to this backend, possibly like this: 

   insert into domains (name, type) values ('blah.nl', 'NATIVE');

 And then rerun secure-zone"

> Now it worked:
> ;; ANSWER SECTION:
> www.test.net.           3600    IN      CNAME   web.test.net.
> web.test.net.           3600    IN      A       10.0.0.238

This is pretty weird though. I don't see why this would require a zone to be
rectified. Even though zones should always be rectified when running with
'g*sql-dnssec'.

> So I have 2 suggestions:
> 1. add the insert into domain line to zone2sql

zone2sql is a bit confusing and may need to be revamped. It does add the
'inert' if you operate from a named.conf.

> 2. the documentation should be changed from:
> $ echo 'insert into domains (name, type) values ('powerdnssec.org', 'NATIVE') | sqlite3 ./powerdns.sqlite3
> to:
> $ echo "insert into domains (name, type) values ('powerdnssec.org', 'NATIVE')" | sqlite3 ./powerdns.sqlite3

Done.

> After ordering and singing and ordering the DNSSEC the CNAME problems
> all went away and when I run dig with +trusted-key= and everything worked.
> It also worked with or without the bind backend.

Cool!

Thanks Leen, the changes you inspired are in
http://wiki.powerdns.com/trac/changeset/1927

	Bert

More information about the Pdns-users mailing list