[Pdns-users] No RRSIG records after importing DNSSEC keys

bert hubert bert.hubert at netherlabs.nl
Sun Feb 19 11:26:10 UTC 2012

On Sun, Feb 19, 2012 at 02:54:06AM -0800, Ask Bjørn Hansen wrote:
> Hi,
> I imported DNSSEC keys originally generated with bind into our powerdns
> database so we can use the much nicer operational toggles on that.

Good to hear!

> The zone data is still hosted in bind, but then transferred un-signed into
> powerdns.  The MySQL database is replicated to some DNS servers and a few
> others will fetch the (signed) data with AXFR.

I'm a bit confused by this - so we have:

Bind -> (slave) -> PowerDNS (which has the keys) -> (slave) -> slaves
                                      + PowerDNS (with no keys)

(this will look best in a fixed width font).

> The keys appears (to me) to be imported correctly, but the zone isn't
> getting any RRSIG signatures.

Do you check by looking into the database? You won't find any RRSIGs there
indeed on the PowerDNS with the keys. Or do you check in the AXFR?

> pdnssec show-zone output below.  Not sure if there's anything else I can
> show to help you show me what I did wrong.  I'm using 3.0.1.

Can you let us know your observations when you ask 'the powerdns with the
dnskeys' a question like this 'dig +dnssec -t a ntppool.com @right-ip' ?

If you are in a position to do this, could you try the latest snapshots from
http://www.powerdnssec.org/ to see what they do in your case?

What you appear to be trying to do, be a 'signing proxy', is a well
supported and oft-used scenario. So it should work!


More information about the Pdns-users mailing list