[Pdns-users] PowerDNS 3.0: Can't deal with multi-part NSEC mappings yet

Fredrik Roubert roubert at df.lth.se
Wed Sep 25 08:49:39 UTC 2013


Hello!

My ISP is running a slave DNS service, using PowerDNS 3.0 as this is the
version included in Ubuntu 12.04 LTS. I've already read this post, about
DNSSEC in 3.0 being "explicitly	deprecated":

http://mailman.powerdns.com/pipermail/pdns-users/2012-July/009099.html

But seeing that my ISP's position of "we'll use what's default in the
LTS" is kind of reasonable, I thought it might be worth asking here on
pdns-users@ anyway:

I've set up a master DNS using BIND 9.8 (sorry guys, it's not that I
have anything against PowerDNS, BIND is just a better choice for me
personally here ;-) and DNSSEC signed my zone using RSA/SHA-1 keys:

http://dnssec-debugger.verisignlabs.com/roubert.net

(As far as I can tell, it's all fine. I've also whitelisted my ISP's
server for zone transfers, and transferring other zones, that aren't
using DNSSEC, between the same two servers works just fine.)

Transferring this DNSSEC signed zone, however, leads my ISP's PowerDNS
to log error messages like this:

Sep 25 10:01:07 ns5 pdns[27445]: Unable to parse record during incoming AXFR of 'roubert.net' (MOADNSException): Can't deal with multi-part NSEC mappings yet

So this is clearly something in PowerDNS 3.0 that was fixed in 3.1:

http://wiki.powerdns.com/trac/changeset/2590
http://doc.powerdns.com/html/changelog.html#changelog-auth-3-1

But what does it mean? What exactly is it in my configuration that makes
PowerDNS 3.0 unable to handle it? Is it something I could change to make
PowerDNS 3.0 play along as a slave server?

Cheers // Fredrik Roubert

-- 
Forsterstrasse 64  |  +41 78 8170377
CH-8044 Z├╝rich     |  http://www.df.lth.se/~roubert/




More information about the Pdns-users mailing list