[Pdns-users] DNSSEC slave: TSIG/RRSIG interaction?

Christof Meerwald cmeerw at cmeerw.org
Thu Jun 9 20:37:22 UTC 2011


On Wed, 8 Jun 2011 23:28:11 +0200, Christof Meerwald wrote:
> It looks like when using TSIG PowerDNS doesn't return any RRSIG
> records for a SOA request. This then results in the RRSIG mismatch
> message.

Ok, I have done some debugging now and this is why:

PowerDNS expects the OPT RR to be the last record in the additional
section, but when using TSIG, the TSIG RR is the last record (as this
is required by the TSIG spec). This means that PowerDNS doesn't see
the DNSSEC bit in the request and therefore doesn't return a RRSIG
record in the response.

(I am assuming PowerDNS generates the SOA request correctly - I have
only confirmed this behaviour using dig).


Christof

-- 

http://cmeerw.org                              sip:cmeerw at cmeerw.org
mailto:cmeerw at cmeerw.org                   xmpp:cmeerw at cmeerw.org



More information about the Pdns-users mailing list