[Pdns-users] DNSSEC trouble
Leen Besselink
leen at consolejunkie.net
Wed May 20 11:41:47 UTC 2015
On Wed, May 20, 2015 at 01:34:59PM +0200, Peter Thomassen wrote:
> Hi Leen,
>
> On 05/20/2015 12:32 PM, Leen Besselink wrote:
> >> # these failed:
> >> dig @ns1.desec.io +dnssec +norec desec.io DNSKEY
> >> dig @ns1.desec.io +dnssec +norec desec.io A
> >>
> >> Here is a working example with an RRSIG for the DNSKEY query:
> [...]
> > As we can see, no RRSIG-record on your domain, my guess would be the transfered domain isn't properly signed before it's transfered:
> >
> > $ dig +dnssec +norec @ns1.desec.io desec.io DNSKEY
> [...]
> > I would try the same query on the hidden master first.
>
> I did try that, and when I query the hidden master, in fact I do get the
> RRSIG records for free. Why is that not the case for the slaves?
>
> I made the hidden master available at desec.io temporarily -- so, compare
>
> dig +dnssec +norec @desec.io desec.io A
> dig +dnssec +norec @ns1.desec.io desec.io A
>
> This really confuses me.
>
Does your slave have DNSSEC enabled in the config ?
Looks like BIND zone file backend needs: bind-dnssec-db:
https://doc.powerdns.com/md/authoritative/backend-bind/
And maybe you need to do an extra step ?:
"PowerDNS needs to know if a zone should receive DNSSEC processing. To configure, run pdnssec set-presigned zone."
https://doc.powerdns.com/md/authoritative/dnssec/#from-existing-dnssec-non-powerdns-setups-pre-signed
> Best,
> Peter
More information about the Pdns-users
mailing list