[Pdns-users] Setting up intentionally invalid DNSSEC record in auto-secure environment
nicholas at nicholaswilliams.net
Wed Jan 6 17:54:23 UTC 2016
We're running a PowerDNS 3.4.6 installation with the MySQL backend, and we’re using pdnsutil secure-zone/set-nsec3/rectify-zone to automatically secure all of our domains (the least-effort method, instead of manually signing everything). It works great. Thanks for the excellent software!
To support an internal testing tool, I would like to set up a few DNS records on a subdomain of one of our signed domains, and have those DNS records //intentionally invalidly signed// so that verifying resolvers will flag them and not return them. What is the best way to do this? Can I simply manually enter an invalid RRSIG record for each record, and that manual record will take precedence over any automatic signing that PowerDNS preforms? Or do I need to take some other step (perhaps it requires a separate domain)? Or is what I want to do impossible with PowerDNS automatic signing enabled?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4142 bytes
Desc: not available
More information about the Pdns-users