[Pdns-users] Setting up intentionally invalid DNSSEC record in auto-secure environment

Nick Williams nicholas at nicholaswilliams.net
Wed Jan 6 17:54:23 UTC 2016

Hi all,

We're running a PowerDNS 3.4.6 installation with the MySQL backend, and we’re using pdnsutil secure-zone/set-nsec3/rectify-zone to automatically secure all of our domains (the least-effort method, instead of manually signing everything). It works great. Thanks for the excellent software!

To support an internal testing tool, I would like to set up a few DNS records on a subdomain of one of our signed domains, and have those DNS records //intentionally invalidly signed// so that verifying resolvers will flag them and not return them. What is the best way to do this? Can I simply manually enter an invalid RRSIG record for each record, and that manual record will take precedence over any automatic signing that PowerDNS preforms? Or do I need to take some other step (perhaps it requires a separate domain)? Or is what I want to do impossible with PowerDNS automatic signing enabled?


Nick Williams
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4142 bytes
Desc: not available
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20160106/45c99c20/attachment.bin>

More information about the Pdns-users mailing list