[Pdns-users] DNSSEC trouble
pieter.lexis at powerdns.com
Wed May 20 11:42:21 UTC 2015
On 05/20/2015 01:31 PM, Peter Thomassen wrote:
> Yes, I saw that. However, I am using PowerDNS 3.3 on the slaves, so that
> can't be it ...
Is the zone on the slave set to pre-signed? If not, PowerDNS ignores
in-zone RRSIGs and other DNSSEC related data. You can set this by
running `pdnssec set-presigned desec.io` on the slaves. If you use
NSEC3, you should also run `pdnssec set-nsec3 desec.io` on the slaves.
You might need to AXFR the zones to the slaves once more after this.
I must admit, the documentation really lacks in this regard (sorry). We
will try to fix this somewhere down the line.
1 - https://doc.powerdns.com/md/authoritative/dnssec/#pdnssec
More information about the Pdns-users