[Pdns-users] No RRSIG records after importing DNSSEC keys
Ask Bjørn Hansen
ask at develooper.com
Sun Feb 19 18:51:31 UTC 2012
On Feb 19, 2012, at 3:26, bert hubert wrote:
>> I imported DNSSEC keys originally generated with bind into our powerdns
>> database so we can use the much nicer operational toggles on that.
> Good to hear!
It's really nice how much effort you've put into making powerdns not just "correct" but also practical!
>> The zone data is still hosted in bind, but then transferred un-signed into
>> powerdns. The MySQL database is replicated to some DNS servers and a few
>> others will fetch the (signed) data with AXFR.
> I'm a bit confused by this - so we have:
Sorry I wasn't more clear!
> Bind -> (slave) -> PowerDNS (which has the keys) -> (slave) -> slaves
> + PowerDNS (with no keys)
> (this will look best in a fixed width font).
Yes, except the MYSQL "slaves" have the keys too; the whole database is replicated.
>> The keys appears (to me) to be imported correctly, but the zone isn't
>> getting any RRSIG signatures.
> Do you check by looking into the database? You won't find any RRSIGs there
> indeed on the PowerDNS with the keys. Or do you check in the AXFR?
Ah, good tip checking the AXFR!
I confused myself by not using +dnssec when checking with dig and then by one of the (non-MySQL, non-PowerDNS) slaves not getting NOTIFY messages, I'll send another mail about that.
>> pdnssec show-zone output below. Not sure if there's anything else I can
>> show to help you show me what I did wrong. I'm using 3.0.1.
> Can you let us know your observations when you ask 'the powerdns with the
> dnskeys' a question like this 'dig +dnssec -t a ntppool.com @right-ip' ?
Yes, that looks better -- except http://dnssec-debugger.verisignlabs.com/ntppool.com says some of the keys/algorithms don't match.
It's complaining about a spurious algorithm 7 DNSKEY that's not included in the RRSIG.
You should be able to see it with:
$ dig +short +dnssec -t dnskey ntppool.com
(DNSKEY with algorithm 7 included)
$ dig +dnssec -t soa ntppool.com
(no RRSIG for algo 7).
pdnssec shows the algo=7 key as active=0; should I just delete that one with remove-zone-key?
$ pdnssec show-zone
Syntax: pdnssec show-zone ZONE
[root at dns1.la ~]# pdnssec show-zone ntppool.com
Zone has hashed NSEC3 semantics, configuration: 1 1 1 ab
Zone is not presigned
ID = 16 (KSK), tag = 25339, algo = 8, bits = 2048 Active: 1
KSK DNSKEY = ntppool.com IN DNSKEY 257 3 8 AwEAAdGJ1ccaHQgK6+hlw0CLZ04NM7dIutpS7NGcf2RfCiY0MPXHjfFRfzYH+tzxGuoP0DL8tydW379lAuZiozgjtop3gd3RMffFRfrMFGnp4Xk4aBJ7HHx597/Z+SFru0bLtZjtLc3w9JmmdiYytZKOduwk/XiHD+aW8c67Jr83xAZJSqOXRCKwIDKVT6fAQ2pgrXtgFOXIyFVBIFjeApXj4TaOasJ6CM05wh4zSIz6kGPto8xgP6+FMasH+OGizu+mUT/l4mzXPZUhSqYsTp3rWQ585G2E67JWkncAKwgXA1NoSjqZcTU1xY+1ltIiUVi7rHK4B6WLSi74B+tYN6fgYsk=
DS = ntppool.com IN DS 25339 8 1 8022ccda660009983b2dec059222458f37ec6d2c
DS = ntppool.com IN DS 25339 8 2 7c518cf2f20e8f3b1497745b76aff3c6be803e15f3d22441f245ed554c7fff05
DS = ntppool.com IN DS 25339 8 3 01d0420b6b8a1b78f5a6883c6347f082160fa093b336c39cce6f7251b113bbe2
ID = 17 (ZSK), tag = 43868, algo = 7, bits = 1024 Active: 0
ID = 18 (ZSK), tag = 55464, algo = 8, bits = 1024 Active: 1
ID = 19 (ZSK), tag = 64518, algo = 8, bits = 1024 Active: 1
> If you are in a position to do this, could you try the latest snapshots from
> http://www.powerdnssec.org/ to see what they do in your case?
I might try that on a test server and if it works ok in production for my NOTIFY problem and just to help testing the new version -- I really appreciate how helpful you and the rest of the community is.
> What you appear to be trying to do, be a 'signing proxy', is a well
> supported and oft-used scenario. So it should work!
More information about the Pdns-users