[Pdns-users] Still having DNSSEC validation problems with 3.4.1

Craig Despeaux craigedespeaux at gmail.com
Fri Dec 5 15:55:36 UTC 2014 

Since my last post, I've now installed the following rpms and am trying the
serve my root, net, and kitchen.sink.net zones using the gsqlite3 backend.

[deploy at rec1-jump ~]$ rpm -qa|grep pdns
pdns-3.4.1-1.el6.MIND.x86_64
pdns-backend-sqlite-3.4.1-1.el6.MIND.x86_64
pdns-tools-3.4.1-1.el6.MIND.x86_64

Here are the steps that I followed:

sqlite3 /var/db/pdns2-gsqlite3-database <
/usr/share/doc/pdns/schema.sqlite3.sql
zone2sql --named-conf=/etc/named.conf --dnssec --gsqlite|sqlite3
/var/db/pdns2-gsqlite3-database
sqlite3 /var/db/pdns2-gsqlite3-database 'analyze;'
pdnssec set-presigned kitchensink.net
pdnssec set-presigned net
pdnssec set-presigned ""

My pdns.conf file contains the following:

launch=gsqlite3
gsqlite3-dnssec
gsqlite3-database=/var/db/pdns-gsqlite3-database
local-address=192.168.0.7,127.0.0.1
module-dir=/usr/lib64/pdns
socket-dir=/var/run/pdns-server
setuid=pdns
setgid=pdns

I start the pdns-server and it has no complaints:

Dec  5 10:44:12 rec1-jump pdns[16951]: Listening on controlsocket in
'/var/run/pdns-server/pdns.controlsocket'
Dec  5 10:44:12 rec1-jump pdns[16954]: Guardian is launching an instance
Dec  5 10:44:12 rec1-jump pdns[16954]: Reading random entropy from
'/dev/urandom'
Dec  5 10:44:12 rec1-jump pdns[16954]: Loading
'/usr/lib64/pdns/libgsqlite3backend.so'
Dec  5 10:44:12 rec1-jump pdns[16954]: [gsqlite3] This is the gsqlite3
backend version 3.4.1 (Oct 30 2014, 14:36:09) reporting
Dec  5 10:44:12 rec1-jump pdns[16954]: This is a guarded instance of pdns
Dec  5 10:44:12 rec1-jump pdns[16954]: UDP server bound to 192.168.0.7:53
Dec  5 10:44:12 rec1-jump pdns[16954]: UDP server bound to 127.0.0.1:53
Dec  5 10:44:12 rec1-jump pdns[16954]: TCP server bound to 192.168.0.7:53
Dec  5 10:44:12 rec1-jump pdns[16954]: TCP server bound to 127.0.0.1:53
Dec  5 10:44:12 rec1-jump pdns[16954]: PowerDNS Authoritative Server 3.4.1 (
jenkins at autotest.powerdns.com) (C) 2001-2014 PowerDNS.COM BV
Dec  5 10:44:12 rec1-jump pdns[16954]: Using 64-bits mode. Built on
20141030144117 by mockbuild at repo.monshouwer.eu, gcc 4.4.7 20120313 (Red Hat
4.4.7-11).
Dec  5 10:44:12 rec1-jump pdns[16954]: PowerDNS comes with ABSOLUTELY NO
WARRANTY. This is free software, and you are welcome to redistribute it
according to the terms of the GPL version 2.
Dec  5 10:44:12 rec1-jump pdns[16954]: Set effective group id to 496
Dec  5 10:44:12 rec1-jump pdns[16954]: Set effective user id to 496
Dec  5 10:44:12 rec1-jump pdns[16954]: Creating backend connection for TCP
Dec  5 10:44:12 rec1-jump pdns[16954]: gsqlite3: connection to
'/var/db/pdns-gsqlite3-database' successful
Dec  5 10:44:12 rec1-jump pdns[16954]: gsqlite3: connection to
'/var/db/pdns-gsqlite3-database' successful
Dec  5 10:44:12 rec1-jump pdns[16954]: About to create 3 backend threads
for UDP
Dec  5 10:44:12 rec1-jump pdns[16954]: gsqlite3: connection to
'/var/db/pdns-gsqlite3-database' successful
Dec  5 10:44:12 rec1-jump pdns[16954]: gsqlite3: connection to
'/var/db/pdns-gsqlite3-database' successful
Dec  5 10:44:12 rec1-jump pdns[16954]: gsqlite3: connection to
'/var/db/pdns-gsqlite3-database' successful
Dec  5 10:44:12 rec1-jump pdns[16954]: gsqlite3: connection to
'/var/db/pdns-gsqlite3-database' successful
Dec  5 10:44:12 rec1-jump pdns[16954]: gsqlite3: connection to
'/var/db/pdns-gsqlite3-database' successful
Dec  5 10:44:12 rec1-jump pdns[16954]: gsqlite3: connection to
'/var/db/pdns-gsqlite3-database' successful
Dec  5 10:44:12 rec1-jump pdns[16954]: Done launching threads, ready to
distribute questions

I then go to my unbound host, which has the DNSKEY for my root zone stored
in root.anchor.

I issue the following DNS queries using dig:

dig @127.0.0.1 kitchensink.net any +dnssec
dig @127.0.0.1 net any +dnssec
dig @127.0.0.1 . any +dnssec

No complaints from unbound for the kitchensink.net or root zone queries,
however, the net query logs this error:

Dec 05 10:44:47 unbound[26907:7] info: validation failure <net. ANY IN>:
signature crypto failed from 192.168.0.7

By turning up the logging and doing more specific queries by qtype, I learn
that the problem comes when unbound attempts to validate the signature
associated with the NSEC record.

I stop the pdns_server and start named serving the exact some zone files
and unbound has no complaints for any of the three queries.

Am I missing a step or is PowerDNS broken?

Thanks,
Craig
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20141205/9ba82dd2/attachment.html>

More information about the Pdns-users mailing list