[Pdns-users] Different RRSIG's on master and slaves

Peter van Dijk peter.van.dijk at netherlabs.nl
Thu Sep 26 10:29:38 UTC 2013

Hello Marc,

On Sep 26, 2013, at 10:27 , mvdgeijn wrote:

> My knowledge on DnsSec isn't that great, but what I tested is that when the
> keys on the slaves (stored in the cryptokeys table) are out of sync with the
> master, I have to remove them on both slave servers from the cryptokeys
> table. After that I update the serial and the zone is synced using AXFR from
> the master to both slaves and the keys are fixed.

AXFR does not sync keys; slaves do not need keys if the master is signing. If you are using AXFR and your master signs, you should never have keys on your slaves.

> Maybe there is indeed some code in PowerDNS that sets the presigned flag
> automaticly, but why isn't that adjusted in the show-zone on the master
> and/or the slaves? And why aren't the keys synced when not in sync with the
> master, even when the serial is updated?

If presigned is set automatically, show-zone will show it.

However, if you are AXFRing presigned zones from a master into a slave that has crypto keys, the results are undefined. I believe this is what's causing your troubles.

Kind regards,
Peter van Dijk
Netherlabs Computer Consulting BV - http://www.netherlabs.nl/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20130926/312c51ee/attachment-0001.sig>

More information about the Pdns-users mailing list