[Pdns-users] PowerDNSSEC Slaves

Craig Whitmore lennon at orcon.net.nz
Wed Jun 8 06:21:14 UTC 2011 

Hi there.

I am testing powerdnssec with one of my domains spam.co.nz

I have 2 PowerDNSSEC servers set up one as master and one as slave. I have
used the normal powerdns for a long time with no problems

Both set up using gmysql backends (one on each) ,adding the data into the
master mysql database and they replicate via zone transfers all ok into the
slave mysql database;

I set up as in the instructions for the domain

Spam.co.nz

Master..

pdnssec secure-zone spam.co.nz

And

gmysql-host=127.0.0.1 gmysql-user=root gmysql-password= gmysql-dbname=pdns
gmysql-dnssec
master=yes

Slave

pdnssec set-presigned spam.co.nz (set the domain to be presigned as its
coming from ns1)

gmysql-host=127.0.0.1
gmysql-user=root
gmysql-password=
gmysql-dbname=pdns
gmysql-dnssec'
slave=yes




I can update 114.23.33.130 and it updates on 114.23.33.131

Testing..

dig +dnssec ­T A spam.co.nz @114.23.33.130 gives

spam.co.nz. 86400 IN A 114.23.33.130 spam.co.nz. 86400 IN RRSIG A 8 3 86400
20110616000000 20110602000000 45201 spam.co.nz.
G8dEGkabnpInz47441Q6nUZkil0fBOjzll1jTRC8qGLx17baG7b30stf
aNcRlVvWncvRWvjzMpWocKfUQJuGC5+F7rPLDVK/rRO4L7DATjEZ95eC
tw2YfKEZHivKZbOlAEHKncd6A/VV4IOHRpl1ebx6/yQ8Vr36tojI06RW k9k=

dig +dnssec ­T A spam.co.nz @114.23.33.130
spam.co.nz. 86400 IN RRSIG A 8 3 86400 20110616000000 20110602000000 45201
spam.co.nz. G8dEGkabnpInz47441Q6nUZkil0fBOjzll1jTRC8qGLx17baG7b30stf
aNcRlVvWncvRWvjzMpWocKfUQJuGC5+F7rPLDVK/rRO4L7DATjEZ95eC
tw2YfKEZHivKZbOlAEHKncd6A/VV4IOHRpl1ebx6/yQ8Vr36tojI06RW k9k=
spam.co.nz. 86400 IN A 114.23.33.130

So I extract the keys ..

pdnssec export-zone-dnskeys spam.co.nz 1 | grep DNSKEY > trustedkey

And test on 114.23.33.130

dig +dnssec +sigchase +trusted-key=./trustedkey ­t A spam.co.nz
@114.23.33.130

And..
..
..
;; WE HAVE MATERIAL, WE NOW DO VALIDATION ;; VERIFYING A RRset for
spam.co.nz. with DNSKEY:45201: success ;; OK We found DNSKEY (or more) to
validate the RRset ;; Ok, find a Trusted Key in the DNSKEY RRset: 22621 ;;
VERIFYING DNSKEY RRset for spam.co.nz. with DNSKEY:22621: success ;; Ok this
DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS

Works..

But

dig +dnssec +sigchase +trusted-key=./trustedkey ­t A spam.co.nz
@114.23.33.131
Š
Š
;; WE HAVE MATERIAL, WE NOW DO VALIDATION ;; VERIFYING A RRset for
spam.co.nz. with DNSKEY:45201: success ;; OK We found DNSKEY (or more) to
validate the RRset ;; Now, we are going to validate this DNSKEY by the DS ;;
the DNSKEY isn't trusted-key and there isn't DS to validate the DNSKEY:
FAILED



Can someone help why the slave is failingŠ


I cannot find any documentation on slaves and powerdnssec and how it should
be done properly..

Thanks
Craig








-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20110608/9743a42f/attachment.html>

More information about the Pdns-users mailing list