[Pdns-users] No RRSIG records after importing DNSSEC keys

Ask Bjørn Hansen ask at develooper.com
Sun Feb 19 18:51:31 UTC 2012

On Feb 19, 2012, at 3:26, bert hubert wrote:

>> I imported DNSSEC keys originally generated with bind into our powerdns
>> database so we can use the much nicer operational toggles on that.
> Good to hear!

It's really nice how much effort you've put into making powerdns not just "correct" but also practical!

>> The zone data is still hosted in bind, but then transferred un-signed into
>> powerdns.  The MySQL database is replicated to some DNS servers and a few
>> others will fetch the (signed) data with AXFR.
> I'm a bit confused by this - so we have:

Sorry I wasn't more clear!

> Bind -> (slave) -> PowerDNS (which has the keys) -> (slave) -> slaves
>                                      |
>                                    MySQL
>                                      |
>                                      + PowerDNS (with no keys)
> (this will look best in a fixed width font).

Yes, except the MYSQL "slaves" have the keys too; the whole database is replicated.

>> The keys appears (to me) to be imported correctly, but the zone isn't
>> getting any RRSIG signatures.
> Do you check by looking into the database? You won't find any RRSIGs there
> indeed on the PowerDNS with the keys. Or do you check in the AXFR?

Ah, good tip checking the AXFR!

I confused myself by not using +dnssec when checking with dig and then by one of the (non-MySQL, non-PowerDNS) slaves not getting NOTIFY messages, I'll send another mail about that.

>> pdnssec show-zone output below.  Not sure if there's anything else I can
>> show to help you show me what I did wrong.  I'm using 3.0.1.
> Can you let us know your observations when you ask 'the powerdns with the
> dnskeys' a question like this 'dig +dnssec -t a ntppool.com @right-ip' ?

Yes, that looks better -- except http://dnssec-debugger.verisignlabs.com/ntppool.com says some of the keys/algorithms don't match.

It's complaining about a spurious algorithm 7 DNSKEY that's not included in the RRSIG.

You should be able to see it with:

$ dig +short +dnssec -t dnskey ntppool.com
(DNSKEY with algorithm 7 included)


$ dig  +dnssec -t soa ntppool.com

(no RRSIG for algo 7).

pdnssec shows the algo=7 key as active=0; should I just delete that one with remove-zone-key?

$ pdnssec  show-zone 
Syntax: pdnssec show-zone ZONE
[root at dns1.la ~]# pdnssec  show-zone  ntppool.com 
Zone has hashed NSEC3 semantics, configuration: 1 1 1 ab
Zone is not presigned
ID = 16 (KSK), tag = 25339, algo = 8, bits = 2048	Active: 1
KSK DNSKEY = ntppool.com IN DNSKEY 257 3 8 AwEAAdGJ1ccaHQgK6+hlw0CLZ04NM7dIutpS7NGcf2RfCiY0MPXHjfFRfzYH+tzxGuoP0DL8tydW379lAuZiozgjtop3gd3RMffFRfrMFGnp4Xk4aBJ7HHx597/Z+SFru0bLtZjtLc3w9JmmdiYytZKOduwk/XiHD+aW8c67Jr83xAZJSqOXRCKwIDKVT6fAQ2pgrXtgFOXIyFVBIFjeApXj4TaOasJ6CM05wh4zSIz6kGPto8xgP6+FMasH+OGizu+mUT/l4mzXPZUhSqYsTp3rWQ585G2E67JWkncAKwgXA1NoSjqZcTU1xY+1ltIiUVi7rHK4B6WLSi74B+tYN6fgYsk=
DS = ntppool.com IN DS 25339 8 1 8022ccda660009983b2dec059222458f37ec6d2c
DS = ntppool.com IN DS 25339 8 2 7c518cf2f20e8f3b1497745b76aff3c6be803e15f3d22441f245ed554c7fff05
DS = ntppool.com IN DS 25339 8 3 01d0420b6b8a1b78f5a6883c6347f082160fa093b336c39cce6f7251b113bbe2

ID = 17 (ZSK), tag = 43868, algo = 7, bits = 1024	Active: 0
ID = 18 (ZSK), tag = 55464, algo = 8, bits = 1024	Active: 1
ID = 19 (ZSK), tag = 64518, algo = 8, bits = 1024	Active: 1

> If you are in a position to do this, could you try the latest snapshots from
> http://www.powerdnssec.org/ to see what they do in your case?

I might try that on a test server and if it works ok in production for my NOTIFY problem and just to help testing the new version -- I really appreciate how helpful you and the rest of the community is.


> What you appear to be trying to do, be a 'signing proxy', is a well
> supported and oft-used scenario. So it should work!


More information about the Pdns-users mailing list