[Pdns-users] rectify-zone on non DNSSEC domains

Martin Chandler mchandler at aventer.net
Sat Feb 7 11:39:19 UTC 2015

Hello Peter,

On 2015/02/05 22:59, Peter van Dijk wrote:
> Hello Martin,
> On 30 Jan 2015, at 4:56 , Martin Chandler <mchandler at aventer.net> wrote:
>>> On 29 Jan 2015, at 7:45 , Martin Chandler <mchandler at aventer.net> wrote:
>>>> I am running a PowerDNS hidden master behind BIND dns servers serving to
>>>> the public.
>>>> We have a mix of DNSSEC secure zones, and non-secure zones.
>>>> My question is do I have to 'rectify-zone' on the non-secure zones?
>>>> (does Powerdns still need the auth and ordername for non-secure zones?)
>>> On non-secure zones, ordername is ignored, but auth is not. However, if you just set auth=1 on all records, you get the ‘old’ behaviour, which has been demonstrated to work just fine in practice. If you use the 3.4.0+ SQL schema, you get auth=1 by default.
>> Just curious, as a hidden master that only sends zone transfers to the
>> front end BIND servers, what will I lose with the 'old' behaviour?
> If you only serve AXFR, there is no difference between ‘old’ and ‘new’ behaviour. In fact, PowerDNS will auto-rectify during outgoing AXFR for you in this case, as long as you make sure SOA queries (that the slave might do to check freshness) don’t fail.

Thank you very much for the clarification.

Cellular phone : 090-7849-6808
e-mail:mchandler at aventer.net
URL   :http://www.aventer.net/

More information about the Pdns-users mailing list