[Pdns-users] New PowerDNS Authoritative Server snapshot with DNSSEC + Release Notes

Christof Meerwald cmeerw at cmeerw.org
Sat Jan 29 14:42:56 UTC 2011


On Sat, 29 Jan 2011 13:23:53 +0100, bert hubert wrote:
> On Sat, Jan 29, 2011 at 10:30:47AM +0100, Christof Meerwald wrote:
>> On Sat, 29 Jan 2011 00:38:12 +0100, Christof Meerwald wrote:
>> > That's really excellent news - I have just migrated my 2 nameservers
>> > to SVN revision 1928 and signed one of the zones (btw, the setup is:
>> > master using bind backend for the zone data and gsqlite3 for the key
>> > data - slave is using gsqlite3 and AXFR from master). Let's see what
>> > happens...
>> 
>> Hmm, I still don't understand DNSSEC well enough to really make some
>> sense of it all, but there are certainly some strange things here:
>
> Indeed.
>
>> The zone I am testing with is cmeerw.priv.at, master dns is
>> ns.cmeerw.net and slave is ns2.cmeerw.net (and trying to use nsec3).
>
> Ok, so the setup is that both ns and ns2 have all the keying materials, and
> ns serves a pre-signed zone over AXFR. 

I'll just concentrate on the setup for now, as it might be the cause
of the subsequent issues.

There is no keying material on ns2 - the zone is set up as SLAVE and I
have also done a "pdnssec set-presigned" and "pdnssec set-nsec3" on
ns2. So db just contains (in addition to records received via AXFR):

sqlite> select * from domains;
3|cmeerw.net|84.200.12.152|1296307777|SLAVE||
4|cmeerw.priv.at|84.200.12.152|1296307417|SLAVE||
sqlite> select * from domainmetadata;
1|4|PRESIGNED|1
2|4|NSEC3PARAM|1 0 1 ab
sqlite> select * from cryptokeys;
sqlite>

ns.cmeerw.net reads the zone data for cmeerw.priv.at from the bind
backend and has the keying information in the db:

sqlite> select * from domains;
9|cmeerw.priv.at|||NATIVE||
sqlite> select * from records where domain_id=9;
sqlite> select * from domainmetadata;
1|9|NSEC3PARAM|1 0 1 ab

pdnssec show-zone cmeerw.priv.at shows:
Zone has hashed NSEC3 semantics, configuration: 1 0 1 ab
Zone is not presigned
keys:
ID = 1 (KSK), tag = 43519, algo = 8, bits = 2048        Active: 1
KSK DNSKEY = cmeerw.priv.at IN DNSKEY 257 3 8 AwEAAait7iglyLwXL1SzhoKZOXgVLsseaq2jFyW/vnda80UWMeZm60QDguYb39Yp5vFD1zI+Fc7Zg+NikFPsYudbW750LOHFtuShO8s3/6p7uyO6OpXsmG4bQSOOFoNuYr1b8rSYnEMFVZF/iKH/CSk7AazA7P9VBAgSmXcVQ/3rO4teelfiZYERf9NqUFadn5eGgEmpZFovBNtO2DzuiDBb3GCDp7XDzam6LUeVHQgus0JRN7sKnFK0wuAFhZ5rvd/CuJkVOY/3ev5v+gOtTGelkypum88MzMhLaDPREZqLghzObAv0cAzG57dZDsHnn5BhkPHNIzdJMGMMNqhyDGn0nq8=
DS = cmeerw.priv.at IN DS 43519 8 1 bb4eea726314bd78fe5f82dc93acba51bb4a26ca
DS = cmeerw.priv.at IN DS 43519 8 2 89757ce2660f081ade93a220efa3228d0ad3fa55a3ad10cd3eb307954df700bf
Error: Request to create key object for unknown algorithm number 12


Christof

-- 

http://cmeerw.org                              sip:cmeerw at cmeerw.org
mailto:cmeerw at cmeerw.org                   xmpp:cmeerw at cmeerw.org



More information about the Pdns-users mailing list