[Pdns-users] Setting up intentionally invalid DNSSEC record in auto-secure environment
bert hubert
bert.hubert at powerdns.com
Wed Jan 6 19:12:43 UTC 2016
On Wed, Jan 06, 2016 at 12:46:38PM -0600, Nicholas Williams wrote:
> Out of curiosity, what DOES PowerDNS do if it finds an both an A and an
> RRSIG record for a.b.c.com in the database?
Hi Nicholas,
To answer both your messages in one go, if you run with 'presigned zones',
PowerDNS will use the RRSIG from your database. So it will find the right
RRSIG that goes with your A record.
Secondly, if you use a pre-signed zone, you can also mess up your RRSIG by
hand to generate a 'broken' zone.
Bert
>
> Nick
>
> On Wed, Jan 6, 2016 at 12:33 PM, Aki Tuomi <cmouse at cmouse.fi> wrote:
>
> > The code does not support this but you might be able to use postresolve
> > Lua hook to break the reply signature.
> >
> > ---
> > Aki Tuomi
> > -------- AlkuperÃâ¬inen viesti --------
> > LÃâ¬hettÃâ¬jÃâ¬: Nick Williams <nicholas at nicholaswilliams.net>
> > PÃâ¬ivÃâ¬mÃâ¬Ãâ¬rÃâ¬: 6.1.2016 19.54 (GMT+02:00)
> > Saaja: pdns-users Users <pdns-users at mailman.powerdns.com>
> > Aihe: [Pdns-users] Setting up intentionally invalid DNSSEC record in
> > auto-secure environment
> >
> > Hi all,
> >
> > We're running a PowerDNS 3.4.6 installation with the MySQL backend, and
> > weâÂÂre using pdnsutil secure-zone/set-nsec3/rectify-zone to automatically
> > secure all of our domains (the least-effort method, instead of manually
> > signing everything). It works great. Thanks for the excellent software!
> >
> > To support an internal testing tool, I would like to set up a few DNS
> > records on a subdomain of one of our signed domains, and have those DNS
> > records //intentionally invalidly signed// so that verifying resolvers will
> > flag them and not return them. What is the best way to do this? Can I
> > simply manually enter an invalid RRSIG record for each record, and that
> > manual record will take precedence over any automatic signing that PowerDNS
> > preforms? Or do I need to take some other step (perhaps it requires a
> > separate domain)? Or is what I want to do impossible with PowerDNS
> > automatic signing enabled?
> >
> > Thanks!
> >
> > Nick Williams
> > _______________________________________________
> > Pdns-users mailing list
> > Pdns-users at mailman.powerdns.com
> > http://mailman.powerdns.com/mailman/listinfo/pdns-users
> >
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
More information about the Pdns-users
mailing list