[Pdns-users] PDNS Authoritative DNSSEC Question

Peter van Dijk peter.van.dijk at netherlabs.nl
Mon Feb 10 08:55:39 UTC 2014

Hello Chris,

SUMMARY: the DNSSEC debugger is broken and your domain is fine.

On 07 Feb 2014, at 12:22 , Chris <lists at shthead.com> wrote:

> The signing errored due to the 'type' column not allowing NULL. I updated the schema to allow this.


> 2. I disabled dnssec on the domain and enabled it again:
> # pdnssec --config-dir=/etc/powerdns --config-name=internal disable-dnssec r-9.net
> # pdnssec --config-dir=/etc/powerdns --config-name=internal secure-zone r-9.net
> Securing zone with rsasha256 algorithm with default key size
> Zone r-9.net secured
> Adding NSEC ordering information
> 3. I set nsec3 narrow:
> # pdnssec --config-dir=/etc/powerdns --config-name=internal set-nsec3 r-9.net '1 1 10 ffee' narrow
> NSEC3 (opt-out) set, please rectify-zone if your backend needs it

Also good. Don’t forget to run the rectify-zone (but this is not the issue here).

> From what I can see the DS records should have a key tag of 61424.


> 5. I check using the verisign labs DNSSEC debugger to see if it passes, http://dnssec-debugger.verisignlabs.com/r-9.net.
> I get a couple of errors and warnings, mainly: The DS RRset was not signed by any keys in the chain-of-trust

This is NOT an issue with your zone. The validator is saying that .net failed to provide a valid signature for the DS set it is serving — which is untrue, and even it if was true, it would not be something you can control. This is a bug in the Verisign DNSSEC debugger.

Meanwhile, any testing I can think of locally suggests that your domain is working well and is secured correctly.
> Using the same process as above on another domain with no SRV records results in no errors.

The SRV records do not appear to be part of the issue here.

Kind regards,
Peter van Dijk
Netherlabs Computer Consulting BV - http://www.netherlabs.nl/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20140210/920121bb/attachment-0001.sig>

More information about the Pdns-users mailing list