[Pdns-users] Setting up intentionally invalid DNSSEC record in auto-secure environment
nicholas at nicholaswilliams.net
Wed Jan 6 18:46:38 UTC 2016
Out of curiosity, what DOES PowerDNS do if it finds an both an A and an
RRSIG record for a.b.c.com in the database?
On Wed, Jan 6, 2016 at 12:33 PM, Aki Tuomi <cmouse at cmouse.fi> wrote:
> The code does not support this but you might be able to use postresolve
> Lua hook to break the reply signature.
> Aki Tuomi
> -------- Alkuperäinen viesti --------
> Lähettäjä: Nick Williams <nicholas at nicholaswilliams.net>
> Päivämäärä: 6.1.2016 19.54 (GMT+02:00)
> Saaja: pdns-users Users <pdns-users at mailman.powerdns.com>
> Aihe: [Pdns-users] Setting up intentionally invalid DNSSEC record in
> auto-secure environment
> Hi all,
> We're running a PowerDNS 3.4.6 installation with the MySQL backend, and
> we’re using pdnsutil secure-zone/set-nsec3/rectify-zone to automatically
> secure all of our domains (the least-effort method, instead of manually
> signing everything). It works great. Thanks for the excellent software!
> To support an internal testing tool, I would like to set up a few DNS
> records on a subdomain of one of our signed domains, and have those DNS
> records //intentionally invalidly signed// so that verifying resolvers will
> flag them and not return them. What is the best way to do this? Can I
> simply manually enter an invalid RRSIG record for each record, and that
> manual record will take precedence over any automatic signing that PowerDNS
> preforms? Or do I need to take some other step (perhaps it requires a
> separate domain)? Or is what I want to do impossible with PowerDNS
> automatic signing enabled?
> Nick Williams
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Pdns-users