[Pdns-users] 4.0.1 authoritative + bindbackend + presigned axfr'd zone

Peter van Dijk peter.van.dijk at powerdns.com
Fri Aug 12 09:26:33 UTC 2016 

Hello Theodore,

do you have multiple backends launched? In general DNSSEC only works on 
the first backend I believe.

Kind regards,
-- 
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/

On 12 Aug 2016, at 9:37, Theodore Baschak wrote:

> I've tried using the sqlite3 backend as well now for this zone, with 
> the
> same non-dnssec-serving/recognizing result.
> (This does work in the mysql backend however, but thats shared between
> multiple servers, and this configuration is unique to this particular
> server.)
>
>
> Theodore Baschak - AS395089 - Hextet Systems
> https://ciscodude.net/ - https://hextet.systems/
> http://mbix.ca/
>
>
> On Fri, Aug 12, 2016 at 1:52 AM, Theodore Baschak 
> <theodore at ciscodude.net>
> wrote:
>
>> I've got a few zones I slave for a friend. He presigns some of those 
>> zones
>> on bind and I AXFR them as a slave.
>>
>> Log entries don't indicate detecting presigned zones on AXFR. Dig 
>> with
>> +dnssec doesn't return anything either. dnsviz is showing me as being 
>> a
>> problem nameserver for him now.
>>
>> I've got the bind-dnssec-db set, and created the dnssec-db with 
>> pdnsutil
>> (and chowned it to pdns:pdns even)
>>
>> I've tried pdnsutil set-presigned <zone>
>>
>> I've been googling this for about an hour and I can't find something 
>> wrong
>> with what I'm doing.
>> I did find the following command, which outputs many lines like the
>> following:
>>
>> pdnsutil check-all-zones
>> Aug 12 06:49:30 [bindbackend] Done parsing domains, 0 rejected, 19 
>> new, 0
>> removed
>> [Warning] Parsed and original record content are not equal: fudo.ca 
>> IN
>> RRSIG 'SOA 8 2 3600 20140614060342 20131216060342 17133 fudo.ca.
>> gXArdDSbIIFjFn7fjj4h8MnT2ZQYwKuCWOKDXTn+da5MnmCkp7KXM+
>> PA78Bm2Z2Lo8boU5mJd49pTdEOrSMUFd9/gNi7PW3a5PPc0v9XHvM+
>> 1zTqrRrvch8PzWieiIlOiHjupH5JsDVznKlRDPRmjHerbddr3++PR0OPWPAXy6I='
>> (Content parsed as 'SOA 8 2 3600 20140614060342 20131216060342 17133
>> fudo.ca gXArdDSbIIFjFn7fjj4h8MnT2ZQYwKuCWOKDXTn+da5MnmCkp7KXM+
>> PA78Bm2Z2Lo8boU5mJd49pTdEOrSMUFd9/gNi7PW3a5PPc0v9XHvM+
>> 1zTqrRrvch8PzWieiIlOiHjupH5JsDVznKlRDPRmjHerbddr3++PR0OPWPAXy6I=')
>> [Error] RRSIG found at 'fudo.ca' in non-presigned zone. These do not
>> belong in the database.
>>
>>
>>
>> Theodore Baschak - AS395089 - Hextet Systems
>> https://ciscodude.net/ - https://hextet.systems/
>> http://mbix.ca/
>>
>>
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

More information about the Pdns-users mailing list