[Pdns-users] DNSSEC trouble

Pieter Lexis pieter.lexis at powerdns.com
Wed May 20 11:42:21 UTC 2015

Hi Peter,

On 05/20/2015 01:31 PM, Peter Thomassen wrote:
> Yes, I saw that. However, I am using PowerDNS 3.3 on the slaves, so that
> can't be it ...

Is the zone on the slave set to pre-signed? If not, PowerDNS ignores 
in-zone RRSIGs and other DNSSEC related data. You can set this by 
running `pdnssec set-presigned desec.io` on the slaves[1]. If you use 
NSEC3, you should also run `pdnssec set-nsec3 desec.io` on the slaves[2].

You might need to AXFR the zones to the slaves once more after this.

I must admit, the documentation really lacks in this regard (sorry). We 
will try to fix this somewhere down the line.

Best regards,


1 - https://doc.powerdns.com/md/authoritative/dnssec/#pdnssec
2 - 

More information about the Pdns-users mailing list