[Pdns-users] No RRSIG records after importing DNSSEC keys
Ask Bjørn Hansen
ask at develooper.com
Sun Feb 19 10:54:06 UTC 2012
I imported DNSSEC keys originally generated with bind into our powerdns database so we can use the much nicer operational toggles on that.
The zone data is still hosted in bind, but then transferred un-signed into powerdns. The MySQL database is replicated to some DNS servers and a few others will fetch the (signed) data with AXFR.
The keys appears (to me) to be imported correctly, but the zone isn't getting any RRSIG signatures.
pdnssec show-zone output below. Not sure if there's anything else I can show to help you show me what I did wrong. I'm using 3.0.1.
$ pdnssec show-zone ntppool.com
Zone has hashed NSEC3 semantics, configuration: 1 1 1 ab
Zone is not presigned
ID = 16 (KSK), tag = 25339, algo = 8, bits = 2048 Active: 1
KSK DNSKEY = ntppool.com IN DNSKEY 257 3 8 AwEAAdGJ1ccaHQgK6+hlw0CLZ04NM7dIutpS7NGcf2RfCiY0MPXHjfFRfzYH+tzxGuoP0DL8tydW379lAuZiozgjtop3gd3RMffFRfrMFGnp4Xk4aBJ7HHx597/Z+SFru0bLtZjtLc3w9JmmdiYytZKOduwk/XiHD+aW8c67Jr83xAZJSqOXRCKwIDKVT6fAQ2pgrXtgFOXIyFVBIFjeApXj4TaOasJ6CM05wh4zSIz6kGPto8xgP6+FMasH+OGizu+mUT/l4mzXPZUhSqYsTp3rWQ585G2E67JWkncAKwgXA1NoSjqZcTU1xY+1ltIiUVi7rHK4B6WLSi74B+tYN6fgYsk=
DS = ntppool.com IN DS 25339 8 1 8022ccda660009983b2dec059222458f37ec6d2c
DS = ntppool.com IN DS 25339 8 2 7c518cf2f20e8f3b1497745b76aff3c6be803e15f3d22441f245ed554c7fff05
DS = ntppool.com IN DS 25339 8 3 01d0420b6b8a1b78f5a6883c6347f082160fa093b336c39cce6f7251b113bbe2
ID = 17 (ZSK), tag = 43868, algo = 7, bits = 1024 Active: 0
ID = 18 (ZSK), tag = 55464, algo = 8, bits = 1024 Active: 1
ID = 19 (ZSK), tag = 64518, algo = 8, bits = 1024 Active: 1
More information about the Pdns-users