[Pdns-users] DNSSEC slave: TSIG/RRSIG interaction?
bert hubert
bert.hubert at netherlabs.nl
Thu Jun 9 21:27:02 UTC 2011
On Thu, Jun 09, 2011 at 10:37:22PM +0200, Christof Meerwald wrote:
> Ok, I have done some debugging now and this is why:
>
> PowerDNS expects the OPT RR to be the last record in the additional
> section, but when using TSIG, the TSIG RR is the last record (as this
> is required by the TSIG spec). This means that PowerDNS doesn't see
> the DNSSEC bit in the request and therefore doesn't return a RRSIG
> record in the response.
Absolutely correct. The fix is in r2214, which has also been uploaded to
powerdnssec.org/downloads.
As usual, your debugging is excellent & most appreciated!
Bert
More information about the Pdns-users
mailing list