[Pdns-users] DNSSEC trouble

Peter Thomassen peter at desec.io
Wed May 20 10:16:02 UTC 2015

Dear experts,

I'm sorry to bug you again, but I am still stuck with deploying DNSSEC
for desec.io, and I'd like to ask for your help once more.

I have a hidden primary which does the signing in live mode (MySQL
backend), and two public nameservers ns1.desec.io and ns2.desec.io which
receive the zones via AXFR (bind backend). All are using PowerDNS 3.3
from Ubuntu 14.04.

After communicating my DS records to the .io registry, the DNSSEC
debugger http://dnssec-debugger.verisignlabs.com/desec.io tells me the
everything is fine, except that desec.io does not have RRSIG records,
and my resolver says SERVAIL.

Screenshot: https://www.a4a.de/_temp/DNSSEC.png
(I removed the DS records again from the .io zone.)

dig RRSIG desec.io @ns1.desec.io
dig RRSIG desec.io @ns2.desec.io

gives the RRSIG records. Why does the debugger not find them?

Thanks a lot for your help,
OpenPGP Key: 0x3EF22D2F

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20150520/dd3b9985/attachment.sig>

More information about the Pdns-users mailing list