[Pdns-users] No RRSIG records after importing DNSSEC keys

bert hubert bert.hubert at netherlabs.nl
Sun Feb 19 21:22:25 UTC 2012

On Sun, Feb 19, 2012 at 10:51:31AM -0800, Ask Bjørn Hansen wrote:
> > Good to hear!
> It's really nice how much effort you've put into making powerdns not just
> "correct" but also practical!

We held out a long time before doing DNSSEC. When we did decide to do it, we
wanted to do it *right* in practice.

> I confused myself by not using +dnssec when checking with dig and then by
> one of the (non-MySQL, non-PowerDNS) slaves not getting NOTIFY messages,
> I'll send another mail about that.

PowerDNS 3.1 will also serve up RRSIGs without +dnssec, btw. It turns out
that 3.0 is too strict in this respect.

> > Can you let us know your observations when you ask 'the powerdns with the
> > dnskeys' a question like this 'dig +dnssec -t a ntppool.com @right-ip' ?
> Yes, that looks better -- except http://dnssec-debugger.verisignlabs.com/ntppool.com says some of the keys/algorithms don't match.
> It's complaining about a spurious algorithm 7 DNSKEY that's not included in the RRSIG.

It actually says something more complicated. It says that if you have
DNSKEYs of multiple algorithms, you should have RRSIGs in all those

I'm not sure why this is, but do you really need DNSKEYs of different

> You should be able to see it with:
> $ dig +short +dnssec -t dnskey ntppool.com
> (DNSKEY with algorithm 7 included)
> and
> $ dig  +dnssec -t soa ntppool.com
> (no RRSIG for algo 7).
> pdnssec shows the algo=7 key as active=0; should I just delete that one with remove-zone-key?

If you do, the problem will go away. This is probably a bug in your
configuration - I think.  Maybe we shouldn't allow it.  If you have multiple
different algorithms for your DNSKEYs, you must have at least one of each
algorithm 'active'.  This is probably to prevent downgrade attacks.

> > If you are in a position to do this, could you try the latest snapshots from
> > http://www.powerdnssec.org/ to see what they do in your case?
> I might try that on a test server and if it works ok in production for my
> NOTIFY problem and just to help testing the new version -- I really
> appreciate how helpful you and the rest of the community is.

We try!


More information about the Pdns-users mailing list