[Pdns-users] DNSSEC Not Working for All Subdomains
Peter van Dijk
peter.van.dijk at netherlabs.nl
Mon Sep 24 16:25:06 UTC 2012
On Sep 24, 2012, at 15:50 , Dougan, Linda A wrote:
> Thank you for your help. I tried rectifying the zones and it did enter the ordername and auth, but I am still not getting the DNSSEC answer from both zones. It works for www.a.aa but not gtec-gru-gw.customer.a.aa see below. Is "dig +dnssec +multiline @127.0.0.1 www.a.aa" the correct way to test it? I have included listing of records data, see attachment. I am using pdns version 3.0.1.
Yes, that's a fine way to test it. Do note that we recommend against DNSSEC operation on 3.0 and 3.0.1. Version 3.1 has a lot of important DNSSEC fixes. However, your problems are not related to those fixes.
> $ dig +dnssec +multiline @127.0.0.1 gtec-gru-gw.customer.a.aa
> ; <<>> DiG 9.9.1-P1 <<>> +dnssec +multiline @127.0.0.1 gtec-gru-gw.customer.a.aa
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61077
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 2800
> ;; QUESTION SECTION:
> ;gtec-gru-gw.customer.a.aa. IN A
> ;; ANSWER SECTION:
> gtec-gru-gw.customer.a.aa. 14400 IN A 126.96.36.199
Because this is a different zone (as we noticed in your dump), you also need to secure it separately. In DNSSEC, the boundaries between zones really are very important boundaries, and every zone has its own settings and keys.
Peter van Dijk
Netherlabs Computer Consulting BV - http://www.netherlabs.nl/
More information about the Pdns-users