[Pdns-users] 4.0.1 authoritative + bindbackend + presigned axfr'd zone
Theodore Baschak
theodore at ciscodude.net
Fri Aug 12 16:28:53 UTC 2016
Thats exactly what I was trying to do! Multiple backends (mysql for my own,
bind/sqlite for these slave ones). If that doesn't work that explains why
:-)
I'll redesign what I'm doing in a different way (likely using dnsdist to
redirect these presigned slave zones to a different DNS instance)
Theodore Baschak - AS395089 - Hextet Systems
https://ciscodude.net/ - https://hextet.systems/
http://mbix.ca/
On Fri, Aug 12, 2016 at 4:26 AM, Peter van Dijk <peter.van.dijk at powerdns.com
> wrote:
> Hello Theodore,
>
> do you have multiple backends launched? In general DNSSEC only works on
> the first backend I believe.
>
> Kind regards,
> --
> Peter van Dijk
> PowerDNS.COM BV - https://www.powerdns.com/
>
>
> On 12 Aug 2016, at 9:37, Theodore Baschak wrote:
>
> I've tried using the sqlite3 backend as well now for this zone, with the
>> same non-dnssec-serving/recognizing result.
>> (This does work in the mysql backend however, but thats shared between
>> multiple servers, and this configuration is unique to this particular
>> server.)
>>
>>
>> Theodore Baschak - AS395089 - Hextet Systems
>> https://ciscodude.net/ - https://hextet.systems/
>> http://mbix.ca/
>>
>>
>> On Fri, Aug 12, 2016 at 1:52 AM, Theodore Baschak <theodore at ciscodude.net
>> >
>> wrote:
>>
>> I've got a few zones I slave for a friend. He presigns some of those zones
>>> on bind and I AXFR them as a slave.
>>>
>>> Log entries don't indicate detecting presigned zones on AXFR. Dig with
>>> +dnssec doesn't return anything either. dnsviz is showing me as being a
>>> problem nameserver for him now.
>>>
>>> I've got the bind-dnssec-db set, and created the dnssec-db with pdnsutil
>>> (and chowned it to pdns:pdns even)
>>>
>>> I've tried pdnsutil set-presigned <zone>
>>>
>>> I've been googling this for about an hour and I can't find something
>>> wrong
>>> with what I'm doing.
>>> I did find the following command, which outputs many lines like the
>>> following:
>>>
>>> pdnsutil check-all-zones
>>> Aug 12 06:49:30 [bindbackend] Done parsing domains, 0 rejected, 19 new, 0
>>> removed
>>> [Warning] Parsed and original record content are not equal: fudo.ca IN
>>> RRSIG 'SOA 8 2 3600 20140614060342 20131216060342 17133 fudo.ca.
>>> gXArdDSbIIFjFn7fjj4h8MnT2ZQYwKuCWOKDXTn+da5MnmCkp7KXM+
>>> PA78Bm2Z2Lo8boU5mJd49pTdEOrSMUFd9/gNi7PW3a5PPc0v9XHvM+
>>> 1zTqrRrvch8PzWieiIlOiHjupH5JsDVznKlRDPRmjHerbddr3++PR0OPWPAXy6I='
>>> (Content parsed as 'SOA 8 2 3600 20140614060342 20131216060342 17133
>>> fudo.ca gXArdDSbIIFjFn7fjj4h8MnT2ZQYwKuCWOKDXTn+da5MnmCkp7KXM+
>>> PA78Bm2Z2Lo8boU5mJd49pTdEOrSMUFd9/gNi7PW3a5PPc0v9XHvM+
>>> 1zTqrRrvch8PzWieiIlOiHjupH5JsDVznKlRDPRmjHerbddr3++PR0OPWPAXy6I=')
>>> [Error] RRSIG found at 'fudo.ca' in non-presigned zone. These do not
>>> belong in the database.
>>>
>>>
>>>
>>> Theodore Baschak - AS395089 - Hextet Systems
>>> https://ciscodude.net/ - https://hextet.systems/
>>> http://mbix.ca/
>>>
>>>
>>> _______________________________________________
>> Pdns-users mailing list
>> Pdns-users at mailman.powerdns.com
>> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>>
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20160812/64388d59/attachment.html>
More information about the Pdns-users
mailing list