[Pdns-users] rectify-zone on non DNSSEC domains
Peter van Dijk
peter.van.dijk at powerdns.com
Thu Feb 5 13:59:43 UTC 2015
Hello Martin,
On 30 Jan 2015, at 4:56 , Martin Chandler <mchandler at aventer.net> wrote:
>> On 29 Jan 2015, at 7:45 , Martin Chandler <mchandler at aventer.net> wrote:
>>
>>> I am running a PowerDNS hidden master behind BIND dns servers serving to
>>> the public.
>>>
>>> We have a mix of DNSSEC secure zones, and non-secure zones.
>>>
>>> My question is do I have to 'rectify-zone' on the non-secure zones?
>>> (does Powerdns still need the auth and ordername for non-secure zones?)
>>
>> On non-secure zones, ordername is ignored, but auth is not. However, if you just set auth=1 on all records, you get the ‘old’ behaviour, which has been demonstrated to work just fine in practice. If you use the 3.4.0+ SQL schema, you get auth=1 by default.
>
> Just curious, as a hidden master that only sends zone transfers to the
> front end BIND servers, what will I lose with the 'old' behaviour?
If you only serve AXFR, there is no difference between ‘old’ and ‘new’ behaviour. In fact, PowerDNS will auto-rectify during outgoing AXFR for you in this case, as long as you make sure SOA queries (that the slave might do to check freshness) don’t fail.
Kind regards,
--
Peter van Dijk
Netherlabs Computer Consulting BV - http://www.netherlabs.nl/
More information about the Pdns-users
mailing list