[Pdns-users] NSEC3 opt-out issues in PDNS 3.2
Klaus Darilion
klaus.mailinglists at pernau.at
Thu Mar 28 11:03:46 UTC 2013
Meanwhile I found the important statement in the docu: "In NSEC3 opt-out
mode (the only NSEC3 mode PowerDNS currently supports) ....".
Are there any plans to support NSEC3 without opt-out?
Further, I wonder why and how Powerdns synthesis the NSEC3 records on
the fly? In our setup PDNS is a secondary, the signing happens on the
master. Thus, PDNS receives the zone with AXFR, including the NSEC3
records and the corresponding RRSIG records. Then, PDNS ignores all the
NSEC3 records and synthesis them newly. Therefore there is great chance
that the original signature does not work anymore, and that's also the
reason why a zone without opt-out gets broken by PDNS.
regards
Klaus
On 27.03.2013 18:06, Klaus Darilion wrote:
> Hi!
>
> We have a setup with Powerdns between a bind master and bind
> secondaries. The master signs the zone without "opt-out". Thus, the
> NSEC3 records in the zone transfer from master->PDNS haev the NSEC3 flag
> set to 0. When the bind secondaries transfer the zone from PDNS, the
> NSEC3 records all have the NSEC3 flag set to 1 (opt-out). Of course this
> breaks the signature of the NSEC3 RR.
>
> Is this a known issue? Is there a config option to fix this?
>
> Thanks
> Klaus
>
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
More information about the Pdns-users
mailing list