[Pdns-users] Potentially Silly Question! - auth server, dns-(non) sec + sec.

Stefan Schmidt zaphodb at zaphods.net
Thu Jul 21 19:27:28 UTC 2011 

Hi Chris,

On Thu, Jul 21, 2011 at 8:57 PM, Chris Russell
<Chris.Russell at knowledgeit.co.uk> wrote:
>  I think I've confused the issue with the two backends, I actually set this up as a test as running with one wasn't working.
>
>  To back to the original issue,  I have PDNSsec + DNS-SEC + ipv6 working flawlessly, without issues.  However, for other reasons I need to serve zones where I don't wish to have any signing information in the database for this zone. This means I don't want to run secure-zone or rectify-zone instead keep that zone DNS-SEC free.
>
>  Essentially configuring DNS-SEC on a zone by zone basis.

That is the default and afaik only way PowerDNS works.

>  The problem is,  I can push records into the DB as per a standard unsigned zone, but pdnssec will not serve these records only the SOA.  So can pdnssec serve unsigned zones where no DNS-SEC related records exist when the g-mysql backend is set to gmysql-dnssec ?

Alright so i think we're getting closer to the culprit. You will need
to have the auth field set to '1' i.e. True for most if not all
records
Documentation [1] says:
"The 'auth' field should be set to '1' for data for which is itself
authoritative, which includes the SOA record and its own NS records."
"The 'auth' field should be 0 however for NS records which are used
for delegation, and also for any glue (A, AAAA) records present for
this purpose. Do note that the DS record for a secure delegation
should be authoritative!"
And that works for me.
Even so you are not serving DNSSEC signed zone data i think when
setting dnssec to on for a backend PowerDNS will just assume that if
the auth field is there and is '0' or False that it does not need to
serve this as authoritative data.

>  Or am I   stuck with PDNS serving DNS-SEC enabled zones, OR non DNS-SEC enabled zones but not both :-/

Nope, definitely not. This usually just works.

dig a foo.zaphods.org @mandelbrot.zaphods.net +norec +dnssec
; <<>> DiG 9.7.3 <<>> a foo.zaphods.org @mandelbrot.zaphods.net +norec +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7345
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 2800
;; QUESTION SECTION:
;foo.zaphods.org.		IN	A

;; ANSWER SECTION:
foo.zaphods.org.	3600	IN	A	127.0.0.1

;; Query time: 54 msec
;; SERVER: 217.197.86.168#53(217.197.86.168)
;; WHEN: Thu Jul 21 21:12:26 2011
;; MSG SIZE  rcvd: 60
mysql> select * from dns_record where domain_id=778;
+---------+-----------+-----------------+------+------------------------------------------------------------------------------------------+------+------+-------------+---------+-----------+------+
| id      | domain_id | name            | type | content
                                                                   |
ttl  | prio | description | dynamic | ordername | auth |
+---------+-----------+-----------------+------+------------------------------------------------------------------------------------------+------+------+-------------+---------+-----------+------+
| 7448641 |       778 | zaphods.org     | NS   | chiyoda.zaphods.net
                                                                   |
3600 |    0 | NULL        |       0 |           |    1 |
| 7448642 |       778 | zaphods.org     | NS   |
mandelbrot.zaphods.net
                  | 3600 |    0 | NULL        |       0 |           |
  1 |
| 7448643 |       778 | zaphods.org     | NS   | shinagawa.zaphods.net
                                                                   |
3600 |    0 | NULL        |       0 |           |    1 |
| 7448644 |       778 | zaphods.org     | NS   | taito.zaphods.net
                                                                   |
3600 |    0 | NULL        |       0 |           |    1 |
| 7448645 |       778 | zaphods.org     | SOA  |
mandelbrot.zaphods.net hostmaster at zaphods.net 2011072101 28800 14400
3600000 86400 86400 | 3600 |    0 | NULL        |       0 |
|    1 |
| 7448646 |       778 | foo.zaphods.org | A    | 127.0.0.1
                                                                   |
3600 |    0 |             |       0 |           |    1 |
+---------+-----------+-----------------+------+------------------------------------------------------------------------------------------+------+------+-------------+---------+-----------+------+
6 rows in set (0.00 sec)
(note that my have renamed my queries to use 'dns_record' as table
name for the 'records' table as python django kind of insisted on that
naming scheme - no biggie ;-)

versus

dig a foo.zaphods.net @mandelbrot.zaphods.net +norec +dnssec

; <<>> DiG 9.7.3 <<>> a foo.zaphods.net @mandelbrot.zaphods.net +norec +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 55871
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 0

;; QUESTION SECTION:
;foo.zaphods.net.		IN	A

;; AUTHORITY SECTION:
zaphods.net.		86400	IN	SOA	mandelbrot.zaphods.net.
zaphodb.zaphods.net. 2011071307 28800 3600 3600000 86400
zaphods.net.		86400	IN	RRSIG	SOA 8 2 86400 20110804000000
20110721000000 52750 zaphods.net.
cRUfLkD/w+YxWz05u7xQP83OJD5XbXFXk+2Q005UzYTixaw/6RN2EJJ4
e+GipLJJR7Se0Jp3yCfJswJoxysjPpK5EPrNLA2fn/hYRgsvfh9CLcla
0a0LiItyq5Z4tuagbYHwJg+2kJMSHUsrymBKa3lFOnRGs0Fk/5fU3IvK BJM=
zaphods.net.		86400	IN	RRSIG	SOA 8 2 86400 20110804000000
20110721000000 62385 zaphods.net.
kp+d1q3Nm2Q8ZgjPHqW5T9fWBiXuVhuT9ESOWjFlv/T6K4LJ3aClChJC
ir24Y9AVOFtp5+pGXLcsAs0vjZycEV6ExFJHt76fNVlw6RREaKIFOIn2
agI+gzFCkqajRheeSnnMtrkWjQAbLYHFODe09mA4fIsTqDXjIlp9KulE
VmNgIeF85LizgGjxXdWMH0vHoZUZ3MCXU7cw2EdKox40JHA7bNBn2j16
o36STeqMlMEVo04bk7VhRc79O7mwaMywPm0wAAnPDz+uzdJXrxw6qZsR
eH1IMQDhCHM3/yQVzM2lZDAjyZXc1Xw8Lj3YNWqI7j2bXRuKcw9OyItM
hAeemtiRhNZ4/PVXwX7ErDb9N7yO5+Jk2ilI5066mJZ7tADdDsNiVPVf
3+Fo3WCoZ6QBotIfOpMBSUvI4JxqINDchnET0FWE0wwd8DOfIKrDycoH
4JzAntOMP7qs+I4b1Gw8W7offw4SUgsYup+q1BQSUEIL9R6hyPBRW8he
oHmSmevyHVOn2z+DeU0ptq+xOffj8tieiDFsZ1FuOSrMaX2rMMhapAxG
PiTHkIAQbTP+yU05qpued/P8Pu5BLTjj/GrPf9pMzY/jsRnpkVAS+X7W
mElQmKN1qw781u9n4kl/lIRoj/FR8ztERKr55kz1i7vx6yJq3S1f0RZo 7bkMLj9mRGo=
ucekgdpo0a5ck5qtjn7grbjdsi1r6jm5.zaphods.net. 3600 IN NSEC3 1 0 1 AB
UCEKGDPO0A5CK5QTJN7GRBJDSI1R6JM6 A NS SOA MX TXT AAAA RRSIG DNSKEY
NSEC3PARAM SPF
ucekgdpo0a5ck5qtjn7grbjdsi1r6jm5.zaphods.net. 3600 IN RRSIG NSEC3 8 3
3600 20110804000000 20110721000000 52750 zaphods.net.
hhJEHgGSrIjKc0drIXIzOgITEdGVYB0K1lT9Qq5mNSRuWqOeCfnhjLyn
WafV+N5AGBkHgT7nucoyRqkhZAV29mMnILpisnP9d2jX8jZ7g83nlO34
/SBviLMP9WM4QUA6B4I4jsTjnQpFccQyLKfM4DywTLMU4fxyK0s+fjHj d6Q=
ucekgdpo0a5ck5qtjn7grbjdsi1r6jm5.zaphods.net. 3600 IN RRSIG NSEC3 8 3
3600 20110804000000 20110721000000 62385 zaphods.net.
oFXpy8ulFsguhLqJVMXpW0LWcBdxFIhwVkGOwh+mVijQeGT3DOq9W0sO
w5k3l+EdrYSZR8ydz3D++mcu8zX/KhaoCvTjcxZwVEcTwe7dTfldAtqP
qf9KIFOUSNc99iiWDkwBzCNPvPs0ELExPG7y0lIu31lgCzuoBfEzFHVf
56yPiUgtL2Ze8uutwR6dkIckgCsJMJEgMvoCQltHp9O0pLsbm8SVEbiq
R4Q4wJbD5+v8g/KUcx+VXYTnad21B+dxfYtumsmysq/730tegXRwuxiu
ECaX0TNeFx/Eme8vzHnXQkhpZjYfIy8aqrUzTXSJ1WNmD1HNYFw+eli2
q12xeFA0EkrU2svZm4RNSFAcmDrH0UvoBpBJKsWygGcTyURJFdSCnLFX
CvQYnTxrDGSJ//hn92pvpRjBZe7N2AlqcFqbhm3OV4Iu+8TVF2uAR0NL
79Euccc6TGt0OjGHfa56naLLR18m9g09pGBMGxqjlye2prW9dKAztcDr
NUI/lIIRKrnRJD+2eVxLHyiviYuLxNzfv3lOnu8nyXhpPE5JZGCq2JPn
IusZ8ZRJo24liZGWD8u/bg95dvZYZrC+0rVH4m90AJMF6IJ4oUVYAHo8
8OaS46USgiDnoBFN2ct5Sr7ZBDItG8oqRI3x65VVwvmja72K1Rii8Gmo BriXEMUibqs=

;; Query time: 519 msec
;; SERVER: 217.197.86.168#53(217.197.86.168)
;; WHEN: Thu Jul 21 21:24:50 2011
;; MSG SIZE  rcvd: 1627


 Stefan

[1] http://doc.powerdns.com/dnssec-modes.html

More information about the Pdns-users mailing list