[Pdns-users] DNSSEC: Handling DS for same-server subzones

Hauke Lampe lampe at hauke-lampe.de
Mon Sep 5 18:04:41 UTC 2011


I'm just getting to know PowerDNS 3.0 and though I had some difficulties
in getting it to slave a signed zone and it kept throwing segfaults at
me (which I'll dig into later), I think I have found a problem in the
way PowerDNS handles DS records where parent and child zone exist on the
same server.


dig +dnssec +norec openchaos.org SOA @nsig12.openchaos.org
dig +dnssec +norec bl.openchaos.org SOA @nsig12.openchaos.org

return the correct SOA records from each zone.

This query however:

dig +dnssec +norec bl.openchaos.org DS @nsig12.openchaos.org

returns a NODATA answer from the child zone where it should send the
parent zone's DS record:

> chicago pdns[20127]: Lookup for 'DS' of 'bl.openchaos.org'
> chicago pdns[20127]: Found a zone 'bl.openchaos.org' (with id 2) that might contain data

Is this a bug in PowerDNS or is there a configuration option I didn't set?

BIND returns the correct answer:
dig +dnssec +norec bl.openchaos.org ds  @nsig2.openchaos.org

My configuration looks like this:

(pdns-named.conf defines the two slave zones (bl.)openchaos.org)


More information about the Pdns-users mailing list