[Pdns-users] DNSSEC: Handling DS for same-server subzones
Hauke Lampe
lampe at hauke-lampe.de
Mon Sep 5 18:04:41 UTC 2011
Hi.
I'm just getting to know PowerDNS 3.0 and though I had some difficulties
in getting it to slave a signed zone and it kept throwing segfaults at
me (which I'll dig into later), I think I have found a problem in the
way PowerDNS handles DS records where parent and child zone exist on the
same server.
E.g:
dig +dnssec +norec openchaos.org SOA @nsig12.openchaos.org
dig +dnssec +norec bl.openchaos.org SOA @nsig12.openchaos.org
return the correct SOA records from each zone.
This query however:
dig +dnssec +norec bl.openchaos.org DS @nsig12.openchaos.org
returns a NODATA answer from the child zone where it should send the
parent zone's DS record:
> chicago pdns[20127]: Lookup for 'DS' of 'bl.openchaos.org'
> chicago pdns[20127]: Found a zone 'bl.openchaos.org' (with id 2) that might contain data
Is this a bug in PowerDNS or is there a configuration option I didn't set?
BIND returns the correct answer:
dig +dnssec +norec bl.openchaos.org ds @nsig2.openchaos.org
My configuration looks like this:
|slave=yes
|launch=bind,gsqlite3
|gsqlite3-database=/etc/powerdns/powerdns.sqlite3
|gsqlite3-dnssec
|bind-config=/etc/powerdns/pdns-named.conf
(pdns-named.conf defines the two slave zones (bl.)openchaos.org)
Hauke.
More information about the Pdns-users
mailing list