[Pdns-users] DNSSEC query for net ds does not return RRSIG causing trust anchor failures in unbound

[Craig Despeaux]

I am trying to use PowerDNS for test purposes.  I have the 3.3-2 versions
of pdns-server-backend-pipe and pdns-server rpms installed on el6.

I created and signed three zone files with Bind 9.10 representing the root
zone, net zone, and the domain kitchensink.net.  I am using the pipe
backend for EDNS client subnet testing against some com domains, and the
bind backend for root, net, and kitchensink.net.

All were signed, with DS records created in parent zones, etc. using
dnssec-keygen, dnssec-sign-zone, and dnssec-dsfromkey tools provided with
Bind 9.10.  All of my keys use RSASHA256.  When I serve these zones using
named, it works flawlessly and my unbound server has no trust anchor
complaints.  When I dig for "net ds +dnssec" the DS and RRSIG records are
properly returned.

I tried to implement these zones in PowerDNS as pre-signed.  I created my
DNSSEC database using pdnssec create-bind-db and then issued pdnssec
set-presigned commands for "", net, and kitchensink.net.  I experience no
errors when doing so and neither see any errors when I start the
pdns-server.  I also see that corresponding rows have been created in the
domainmetadata table.  My unbound server complains that there are no
signatures for the .net DS record when PowerDNS is the authoritative
nameserver.  And sure enough, when I execute dig against the pdns-server,
it fails to return the RRSIG for the DS record, even though the record
clearly exists in the signed root zone.  I don't see this problem with
kitchensink.net.

I'm at my wit's end as to how to resolve this problem.  Any suggestions as
to things I can look at?  Like I said, it works flawlessly with named from
Bind 9.10.

Thanks,
Craig
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20141203/f462b04b/attachment.html>