[Pdns-users] DNSSEC trouble

Peter Thomassen peter at desec.io
Wed May 20 12:10:29 UTC 2015

Hi Pieter,

On 05/20/2015 01:42 PM, Pieter Lexis wrote:
> On 05/20/2015 01:31 PM, Peter Thomassen wrote:
>> Yes, I saw that. However, I am using PowerDNS 3.3 on the slaves, so that
>> can't be it ...
> Is the zone on the slave set to pre-signed? If not, PowerDNS ignores
> in-zone RRSIGs and other DNSSEC related data. You can set this by
> running `pdnssec set-presigned desec.io` on the slaves[1]. If you use
> NSEC3, you should also run `pdnssec set-nsec3 desec.io` on the slaves[2].

I had set the zone to pre-signed, but this was (silently) unsuccessful,
because I had not created the bind-dnssec database yet. I had assumed
that the slaves would not need the database file since there is no key
material present on the slaves. Now that I created the database, added
it to the configuration file, and ran the above commands, everything is

I am using the supermaster/superslave mechanism. Let's say I'm creating
a new zone on the supermaster and turn on DNSSEC for it. Will I have to
run set-presigned and set-nsec3 on each of the slaves manually?

> I must admit, the documentation really lacks in this regard (sorry). We
> will try to fix this somewhere down the line.

No worries, the documentation still has proven very helpful in all other
regards. And I really appreciate the community support here. :-)

Best regards,

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20150520/08213ed1/attachment-0001.sig>

More information about the Pdns-users mailing list