[Pdns-users] Setting up intentionally invalid DNSSEC record in auto-secure environment

Nicholas Williams nicholas at nicholaswilliams.net
Wed Jan 6 19:26:59 UTC 2016


Yea, but that's the rub. I want to do this WITHOUT 'presigned zones.' I
want everything else to be live-signed (because it's SO much easier than
presigning), and only munge this one subdomain's RRSIGs.

I'm looking into using a postresolve Lua script for this, as Aki suggested,
because it sounds like that's likely the only way to do what I want. I
found this sample, which is pretty helpful:

https://wiki.powerdns.com/trac/browser/trunk/pdns/pdns/powerdns-example-script.lua

But I'm trying to find actual documentation about where to put the script,
what the inputs and outputs to postresolve are, etc., and I can't find it
with Google. I've only been able to find the Recursor scripting
documentation, not the Authoritative documentation. Can someone point me to
the Authoritative documentation on using scripting to alter responses?

Thanks,

Nick

On Wed, Jan 6, 2016 at 1:12 PM, bert hubert <bert.hubert at powerdns.com>
wrote:

> On Wed, Jan 06, 2016 at 12:46:38PM -0600, Nicholas Williams wrote:
> > Out of curiosity, what DOES PowerDNS do if it finds an both an A and an
> > RRSIG record for a.b.c.com in the database?
>
> Hi Nicholas,
>
> To answer both your messages in one go, if you run with 'presigned zones',
> PowerDNS will use the RRSIG from your database. So it will find the right
> RRSIG that goes with your A record.
>
> Secondly, if you use a pre-signed zone, you can also mess up your RRSIG by
> hand to generate a 'broken' zone.
>
>         Bert
>
> >
> > Nick
> >
> > On Wed, Jan 6, 2016 at 12:33 PM, Aki Tuomi <cmouse at cmouse.fi> wrote:
> >
> > > The code does not support this but you might be able to use postresolve
> > > Lua hook to break the reply signature.
> > >
> > > ---
> > > Aki Tuomi
> > > -------- Alkuperäinen viesti --------
> > > Lähettäjä: Nick Williams <nicholas at nicholaswilliams.net>
> > > Päivämäärä: 6.1.2016 19.54 (GMT+02:00)
> > > Saaja: pdns-users Users <pdns-users at mailman.powerdns.com>
> > > Aihe: [Pdns-users] Setting up intentionally invalid DNSSEC record in
> > > auto-secure environment
> > >
> > > Hi all,
> > >
> > > We're running a PowerDNS 3.4.6 installation with the MySQL backend, and
> > > we’re using pdnsutil secure-zone/set-nsec3/rectify-zone to
> automatically
> > > secure all of our domains (the least-effort method, instead of manually
> > > signing everything). It works great. Thanks for the excellent software!
> > >
> > > To support an internal testing tool, I would like to set up a few DNS
> > > records on a subdomain of one of our signed domains, and have those DNS
> > > records //intentionally invalidly signed// so that verifying resolvers
> will
> > > flag them and not return them. What is the best way to do this? Can I
> > > simply manually enter an invalid RRSIG record for each record, and that
> > > manual record will take precedence over any automatic signing that
> PowerDNS
> > > preforms? Or do I need to take some other step (perhaps it requires a
> > > separate domain)? Or is what I want to do impossible with PowerDNS
> > > automatic signing enabled?
> > >
> > > Thanks!
> > >
> > > Nick Williams
> > > _______________________________________________
> > > Pdns-users mailing list
> > > Pdns-users at mailman.powerdns.com
> > > http://mailman.powerdns.com/mailman/listinfo/pdns-users
> > >
>
> > _______________________________________________
> > Pdns-users mailing list
> > Pdns-users at mailman.powerdns.com
> > http://mailman.powerdns.com/mailman/listinfo/pdns-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20160106/88a2663e/attachment-0001.html>


More information about the Pdns-users mailing list