[Pdns-users] New PowerDNS Authoritative Server snapshot with DNSSEC + Release Notes

Christof Meerwald cmeerw at cmeerw.org
Sat Jan 29 09:30:47 UTC 2011


On Sat, 29 Jan 2011 00:38:12 +0100, Christof Meerwald wrote:
> That's really excellent news - I have just migrated my 2 nameservers
> to SVN revision 1928 and signed one of the zones (btw, the setup is:
> master using bind backend for the zone data and gsqlite3 for the key
> data - slave is using gsqlite3 and AXFR from master). Let's see what
> happens...

Hmm, I still don't understand DNSSEC well enough to really make some
sense of it all, but there are certainly some strange things here:

The zone I am testing with is cmeerw.priv.at, master dns is
ns.cmeerw.net and slave is ns2.cmeerw.net (and trying to use nsec3).

Requesting the SOA record appears to work fine on both servers:

dig +dnssec -t SOA cmeerw.priv.at @ns.cmeerw.net
dig +dnssec -t SOA cmeerw.priv.at @ns2.cmeerw.net

But if I try to query for NS, I get some RRSIG records in the
additional section, but only from ns.cmeerw.net:

;; ADDITIONAL SECTION:
ns2.cmeerw.net.		28800	IN	A	80.190.133.60
ns2.cmeerw.net.		28800	IN	RRSIG	A 8 3 28800 20110210000000 20110127000000 35080 cmeerw.priv.at. mKFWS0sPy8sFs4kWGgs0dvniiDAGzpgxPw/LgsCZ88r/k9Lc/+6pHK8k nkh9QzshTFkHKfIsM5NBr8ABRMPSligLc+t6Qb2B3P+Sfz3kVoW1baoS VTJAjkbMzTa5uD/HD6C0qX3KdMy4wxOq8YZAHislWkuNydCcM+/vGmBt fvo=
ns.cmeerw.net.		28800	IN	A	84.200.12.152
ns.cmeerw.net.		28800	IN	RRSIG	A 8 3 28800 20110210000000 20110127000000 35080 cmeerw.priv.at. kfoB3v8GYzdKJ6afJR81msJ2AKGNQ/7HIsS50ISphbWqUK5UrLDe5kno s1L8JoshcXxUyxcMl2s4SaJX3h+ImFsact8Xunl8fl+AwSJJrbHd4Dsb M1OhxfpTaEHzvBgX/nR0Xam52xBm5ruqOL26mRZjjhbUqlSI21IbP9O6 UEY=

not from ns2.cmeerw.net:

;; ADDITIONAL SECTION:
ns.cmeerw.net.		28800	IN	A	84.200.12.152
ns2.cmeerw.net.		28800	IN	A	80.190.133.60

Note that both servers are authoritative for cmeerw.net, but the zone
is not signed.


And finally, if I try to query a non-existing record, the response
seems reasonable from ns.cmeerw.net:

;; AUTHORITY SECTION:
cmeerw.priv.at.		28800	IN	SOA	ns.cmeerw.net. domain.cmeerw.net. 2010080601 3600 900 1814400 3600
cmeerw.priv.at.		28800	IN	NSEC3	1 0 1 AB SO====== RRSIG
cmeerw.priv.at.		28800	IN	RRSIG	SOA 8 3 28800 20110210000000 20110127000000 35080 cmeerw.priv.at. NQToBHA8ywWqjAtYM3ApLJw9fIbKe/mdUysBQ010d9FGCS0n8TQ2eEtO RjfAl4ZjNpv7oB+AukM3a2jwCIVQh8Tsb5PNOoNKL3UxaLtB/j/S7Dbg wAW6fAAhcharh665lHw07vECWbDvNDU5t4TmmHPrJ/dlph3xBOCrWw5n bpI=
cmeerw.priv.at.		28800	IN	RRSIG	NSEC3 8 3 28800 20110210000000 20110127000000 35080 cmeerw.priv.at. kKbZ50zzk0drm29L7xbtjOo3hG4Xhj3NbwM290Lzckq2ipmb9/iDFnyO fKxWgJrsHYyigESCRAMUnYAqJvyfWw49Ke1dOu1uVMe6gtS9YDTws12z oIXj2H+Mo5UxvF02WYHwuSQsDeP8So4IctT466Xkv60LhS5G6y8lwvOf FK4=

but very strange from ns2.cmeerw.net:

;; AUTHORITY SECTION:
cmeerw.priv.at.		28800	IN	SOA	ns.cmeerw.net. domain.cmeerw.net. 2010080601 3600 900 1814400 3600
8b40po8goooqdt13tad1l7j5oht0puo3.cmeerw.priv.at. 7200 IN NSEC3 1 0 1 AB RRSIG=== NSEC3
cmeerw.priv.at.		28800	IN	RRSIG	SOA 8 3 28800 20110210000000 20110127000000 35080 cmeerw.priv.at. NQToBHA8ywWqjAtYM3ApLJw9fIbKe/mdUysBQ010d9FGCS0n8TQ2eEtO RjfAl4ZjNpv7oB+AukM3a2jwCIVQh8Tsb5PNOoNKL3UxaLtB/j/S7Dbg wAW6fAAhcharh665lHw07vECWbDvNDU5t4TmmHPrJ/dlph3xBOCrWw5n bpI=
ca95b8nmpkjglrraoo4cu4m9sp7m2ma9.cmeerw.priv.at. 28800 IN NSEC3	1 0 1 AB 8B40PO8GOOOQDT13TAD1L7J5OHT0PUO3 RRSIG NSEC3
8b40po8goooqdt13tad1l7j5oht0puo3.cmeerw.priv.at. 7200 IN RRSIG NSEC3 8 4 7200 20110210000000 20110127000000 35080 cmeerw.priv.at. pFoJS2R2QOKLvCu8Lj3i3RWVSLf86pygLHB8WgsFVCMkcu3IaVbc1ZsL 5+cPm2yYgGAwMUw1ZdNutm8lZwempxhyXn3q4uJ8CBaKx6EYCpCiIuxZ ATIYSYR3apEfLDkNIHLZzlLFSEsHvNsxTOM4ZGgFu2ZLCh0p7HSYNE+n l4Y=
ca95b8nmpkjglrraoo4cu4m9sp7m2ma9.cmeerw.priv.at. 28800 IN RRSIG	NSEC3 8 4 28800 20110210000000 20110127000000 35080 cmeerw.priv.at. H76INArO3yFe9iIKs8NCdVy6+L7pj4vcn+ESjuEAuTH1pShXt7ZxuLQL t/TiF89/NbtbbAG6RB3KARA2c/FtGag5tR6/sxVGpyF4Kx0K25BwCtmO LHErS7g3860YvXBzUwhwCvOeG9oQJ4Fyi5NsrzR5O2Jc68Axqzo9Gfsq /O4=


Any ideas on these observations? (feel free to query these nameservers
yourself)


Christof

-- 

http://cmeerw.org                              sip:cmeerw at cmeerw.org
mailto:cmeerw at cmeerw.org                   xmpp:cmeerw at cmeerw.org



More information about the Pdns-users mailing list