[Pdns-users] DNSSEC trouble
Pieter Lexis
pieter.lexis at powerdns.com
Wed May 20 11:42:21 UTC 2015
Hi Peter,
On 05/20/2015 01:31 PM, Peter Thomassen wrote:
> Yes, I saw that. However, I am using PowerDNS 3.3 on the slaves, so that
> can't be it ...
Is the zone on the slave set to pre-signed? If not, PowerDNS ignores
in-zone RRSIGs and other DNSSEC related data. You can set this by
running `pdnssec set-presigned desec.io` on the slaves[1]. If you use
NSEC3, you should also run `pdnssec set-nsec3 desec.io` on the slaves[2].
You might need to AXFR the zones to the slaves once more after this.
I must admit, the documentation really lacks in this regard (sorry). We
will try to fix this somewhere down the line.
Best regards,
Pieter
1 - https://doc.powerdns.com/md/authoritative/dnssec/#pdnssec
2 -
https://doc.powerdns.com/md/authoritative/dnssec/#from-existing-dnssec-non-powerdns-setups-pre-signed
More information about the Pdns-users
mailing list