[Pdns-users] Question regarding DNSSEC RRSIG

[Nicky Gerritsen]

Dear all,

I have deployed DNSSEC yesterday for my domains.
First, my situation:
I have a Windows Server 2008 primary name server and a PowerDNS 3.1 slave server. This slave runs on Ubuntu 12.04 and I have compiled it from source myself. I use the gmysql backend btw.

Now there seems to be something strange going on:
I have a domain, tandemse.nl, for which DNSSEC is being used. I have an A-record for *.tandemse.nl.

If I ask the Windows server for an A-record for randomsubdomain.tandemse.nl I get this response (sorry for a lot of copy-paste, I truncated useless stuff):

--------------
$ dig randomsubdomain.tandemse.nl in A @ns1.tandemse.nl +dnssec

[…]
;; ANSWER SECTION:
randomsubdomain.tandemse.nl. 3600 IN	A	80.113.202.87
randomsubdomain.tandemse.nl. 3600 IN	RRSIG	A 5 2 3600 20120904082043 20120805082043 18273 tandemse.nl. BIev96aAl3DfATr+sepXXdf54ohBzV2EBViGl/iwXDY/upPBBsSVgwh5 gOwgRl7U/lyb176N4koav0Ay5JJhhFFllk7kmkfnlLGfQ3g0JwpRXkKG BMaaUZRJdzrQs5TYoLgrLvnJnkGcXnGD926q+jb2pOAKcJMvcaJczUcP BFfhDKhyOrvUar/PARsCBlL4H3nWz3pmdXEW/m49/aJ0TMTq1bxgbSvR sSfpyTyERQI1mYRpiwU7soDsodVGFDMLKcwIqi07fV1I9TwYrYKgKUkp TuHThZd/46HygCwrZIHNyRQRIldn/5gqBKtxlSc6rkUNlVJnNc+qrpFy Otgskg==

;; AUTHORITY SECTION:
rails-server.tandemse.nl. 3600	IN	NSEC	tandemse.nl. A AAAA RRSIG NSEC
rails-server.tandemse.nl. 3600	IN	RRSIG	NSEC 5 3 3600 20120904082043 20120805082043 18273 tandemse.nl. lgKh6d6DEUsuq2IEBSxqwwYRXV3uCkRdnNavCyr2mLkI19skLNEBIkRH n3GGGRjD8jUFF4LT/dKl8deZhMsNoXgC3Xzr5XGumuy9GHn8ZgS/Gx9T a4444GrBtSZJq+RZ2l2AQ4aCd5I0FBHt4i9du50XNRygWOYGsVdIdE+G qSBhltKU2NOm4IfnkGIYSgbMcQJMr2oNZXG/O0wo937D9XEbMoxOMnUj PYdW6/0m/PdbHGPVzg5+GlncDpK+IwGSm39WG4M4ModKJWr0y+3i8cAB CIIzdX7zSsbzZOddySeHMfGH2EKNFrpDURWH/ls1rmjnqhrVa4udFKhh +Bx6CA==
[…]
--------------

However, when I ask my slave PowerDNS server, I get the following response;

--------------
$ dig randomsubdomain.tandemse.nl in A @ns2.tandemse.nl +dnssec
[…]
;; ANSWER SECTION:
randomsubdomain.tandemse.nl. 3600 IN	A	80.113.202.87

;; AUTHORITY SECTION:
rails-server.tandemse.nl. 3600	IN	NSEC	_autodiscover._tcp.tandemse.nl. A AAAA RRSIG NSEC
rails-server.tandemse.nl. 3600	IN	RRSIG	NSEC 5 3 3600 20120904082043 20120805082043 18273 tandemse.nl. lgKh6d6DEUsuq2IEBSxqwwYRXV3uCkRdnNavCyr2mLkI19skLNEBIkRH n3GGGRjD8jUFF4LT/dKl8deZhMsNoXgC3Xzr5XGumuy9GHn8ZgS/Gx9T a4444GrBtSZJq+RZ2l2AQ4aCd5I0FBHt4i9du50XNRygWOYGsVdIdE+G qSBhltKU2NOm4IfnkGIYSgbMcQJMr2oNZXG/O0wo937D9XEbMoxOMnUj PYdW6/0m/PdbHGPVzg5+GlncDpK+IwGSm39WG4M4ModKJWr0y+3i8cAB CIIzdX7zSsbzZOddySeHMfGH2EKNFrpDURWH/ls1rmjnqhrVa4udFKhh +Bx6CA==
[…]
--------------

As can be seen, the RRSIG for the A-record is missing (and the NSEC is different, which should also not be the case right?).
Now my question is: is the Windows Server doing this wrong or is it the PowerDNS slave? Because the A-record is for "*" and not for "randomsubdomain".

Regards,

Nicky Gerritsen

p.s. yes I know I should better use NSEC3; however apparently Windows Server does not support this :(
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20120805/f7b103f7/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4791 bytes
Desc: not available
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20120805/f7b103f7/attachment.bin>