[Pdns-users] NSEC3 opt-out issues in PDNS 3.2

Posner, Sebastian s.posner at telekom.de
Thu Apr 4 13:39:31 UTC 2013

A week ago, Peter van Dijk wrote:

> Klaus Darilion wrote:
> > Further, I wonder why and how Powerdns synthesis the NSEC3 records on
> > the fly? In our setup PDNS is a secondary, the signing happens on the
> > master. Thus, PDNS receives the zone with AXFR, including the NSEC3
> > records and the corresponding RRSIG records. Then, PDNS ignores all the
> > NSEC3 records and synthesis them newly. [...]
> Apart from opt out vs. no opt out, we have had zero reports of our
> synthesis breaking original signatures. 

I think the main point is: If pdns is configured _not_ to do DNSSEC 
signing, why does it touch/generate any DNSSEC-RRs at all, and what
key material is used for it? Definitely not the original zones',
b'cause private keys are not included in AXFR, no?

I'd say, either there's a misconfiguration in this specific setup of
PDNS that makes it think it has to do DNSSEC signing, or there is a
fat bug in PDNS.

Kind regards,

More information about the Pdns-users mailing list