[Pdns-users] rectify-zone on non DNSSEC domains
Martin Chandler
mchandler at aventer.net
Sat Feb 7 11:39:19 UTC 2015
Hello Peter,
On 2015/02/05 22:59, Peter van Dijk wrote:
> Hello Martin,
>
> On 30 Jan 2015, at 4:56 , Martin Chandler <mchandler at aventer.net> wrote:
>
>>> On 29 Jan 2015, at 7:45 , Martin Chandler <mchandler at aventer.net> wrote:
>>>
>>>> I am running a PowerDNS hidden master behind BIND dns servers serving to
>>>> the public.
>>>>
>>>> We have a mix of DNSSEC secure zones, and non-secure zones.
>>>>
>>>> My question is do I have to 'rectify-zone' on the non-secure zones?
>>>> (does Powerdns still need the auth and ordername for non-secure zones?)
>>>
>>> On non-secure zones, ordername is ignored, but auth is not. However, if you just set auth=1 on all records, you get the ‘old’ behaviour, which has been demonstrated to work just fine in practice. If you use the 3.4.0+ SQL schema, you get auth=1 by default.
>>
>> Just curious, as a hidden master that only sends zone transfers to the
>> front end BIND servers, what will I lose with the 'old' behaviour?
>
> If you only serve AXFR, there is no difference between ‘old’ and ‘new’ behaviour. In fact, PowerDNS will auto-rectify during outgoing AXFR for you in this case, as long as you make sure SOA queries (that the slave might do to check freshness) don’t fail.
>
Thank you very much for the clarification.
Regards,
Martin
--
Cellular phone : 090-7849-6808
e-mail:mchandler at aventer.net
URL :http://www.aventer.net/
More information about the Pdns-users
mailing list