[Pdns-users] DNSSEC Not Working for All Subdomains

Peter van Dijk peter.van.dijk at netherlabs.nl
Mon Sep 24 16:25:06 UTC 2012

Hello Linda,

On Sep 24, 2012, at 15:50 , Dougan, Linda A wrote:

> Thank you for your  help. I tried rectifying the zones and it did enter the ordername and auth, but I am still not getting the DNSSEC answer from both zones.  It works for www.a.aa but not gtec-gru-gw.customer.a.aa see below.   Is "dig +dnssec +multiline @ www.a.aa" the correct way to test it?  I have included listing of records data, see attachment.  I am using pdns version 3.0.1.

Yes, that's a fine way to test it. Do note that we recommend against DNSSEC operation on 3.0 and 3.0.1. Version 3.1 has a lot of important DNSSEC fixes. However, your problems are not related to those fixes.

> $ dig +dnssec +multiline @ gtec-gru-gw.customer.a.aa
> ; <<>> DiG 9.9.1-P1 <<>> +dnssec +multiline @ gtec-gru-gw.customer.a.aa
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61077
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> ; EDNS: version: 0, flags: do; udp: 2800
> ;gtec-gru-gw.customer.a.aa. IN A
> gtec-gru-gw.customer.a.aa. 14400 IN A

Because this is a different zone (as we noticed in your dump), you also need to secure it separately. In DNSSEC, the boundaries between zones really are very important boundaries, and every zone has its own settings and keys.

Kind regards,
Peter van Dijk
Netherlabs Computer Consulting BV - http://www.netherlabs.nl/

More information about the Pdns-users mailing list