[Pdns-users] Setting up intentionally invalid DNSSEC record in auto-secure environment

bert hubert bert.hubert at powerdns.com
Wed Jan 6 19:34:09 UTC 2016


On Wed, Jan 06, 2016 at 01:26:59PM -0600, Nicholas Williams wrote:
> I'm looking into using a postresolve Lua script for this, as Aki suggested,
> because it sounds like that's likely the only way to do what I want. I
> found this sample, which is pretty helpful:

Well - the reason you can't find the documentation is that the Lua "break
your answer" scripting is our internal debugging tool that we haven't
documented because we might still change it at any time.
> 
> https://wiki.powerdns.com/trac/browser/trunk/pdns/pdns/powerdns-example-script.lua

This is not the script you are looking for.

> But I'm trying to find actual documentation about where to put the script,
> what the inputs and outputs to postresolve are, etc., and I can't find it
> with Google. I've only been able to find the Recursor scripting
> documentation, not the Authoritative documentation. Can someone point me to
> the Authoritative documentation on using scripting to alter responses?

You might find inspiration in these regression tests:
https://github.com/PowerDNS/pdns/blob/master/regression-tests.recursor/config.sh

The scripts embedded there use our manipulation API.

I hope this helps!

	Bert

> 
> Thanks,
> 
> Nick
> 
> On Wed, Jan 6, 2016 at 1:12 PM, bert hubert <bert.hubert at powerdns.com>
> wrote:
> 
> > On Wed, Jan 06, 2016 at 12:46:38PM -0600, Nicholas Williams wrote:
> > > Out of curiosity, what DOES PowerDNS do if it finds an both an A and an
> > > RRSIG record for a.b.c.com in the database?
> >
> > Hi Nicholas,
> >
> > To answer both your messages in one go, if you run with 'presigned zones',
> > PowerDNS will use the RRSIG from your database. So it will find the right
> > RRSIG that goes with your A record.
> >
> > Secondly, if you use a pre-signed zone, you can also mess up your RRSIG by
> > hand to generate a 'broken' zone.
> >
> >         Bert
> >
> > >
> > > Nick
> > >
> > > On Wed, Jan 6, 2016 at 12:33 PM, Aki Tuomi <cmouse at cmouse.fi> wrote:
> > >
> > > > The code does not support this but you might be able to use postresolve
> > > > Lua hook to break the reply signature.
> > > >
> > > > ---
> > > > Aki Tuomi
> > > > -------- AlkuperÀinen viesti --------
> > > > LÀhettÀjÀ: Nick Williams <nicholas at nicholaswilliams.net>
> > > > PÀivÀmÀÀrÀ: 6.1.2016 19.54 (GMT+02:00)
> > > > Saaja: pdns-users Users <pdns-users at mailman.powerdns.com>
> > > > Aihe: [Pdns-users] Setting up intentionally invalid DNSSEC record in
> > > > auto-secure environment
> > > >
> > > > Hi all,
> > > >
> > > > We're running a PowerDNS 3.4.6 installation with the MySQL backend, and
> > > > we’re using pdnsutil secure-zone/set-nsec3/rectify-zone to
> > automatically
> > > > secure all of our domains (the least-effort method, instead of manually
> > > > signing everything). It works great. Thanks for the excellent software!
> > > >
> > > > To support an internal testing tool, I would like to set up a few DNS
> > > > records on a subdomain of one of our signed domains, and have those DNS
> > > > records //intentionally invalidly signed// so that verifying resolvers
> > will
> > > > flag them and not return them. What is the best way to do this? Can I
> > > > simply manually enter an invalid RRSIG record for each record, and that
> > > > manual record will take precedence over any automatic signing that
> > PowerDNS
> > > > preforms? Or do I need to take some other step (perhaps it requires a
> > > > separate domain)? Or is what I want to do impossible with PowerDNS
> > > > automatic signing enabled?
> > > >
> > > > Thanks!
> > > >
> > > > Nick Williams
> > > > _______________________________________________
> > > > Pdns-users mailing list
> > > > Pdns-users at mailman.powerdns.com
> > > > http://mailman.powerdns.com/mailman/listinfo/pdns-users
> > > >
> >
> > > _______________________________________________
> > > Pdns-users mailing list
> > > Pdns-users at mailman.powerdns.com
> > > http://mailman.powerdns.com/mailman/listinfo/pdns-users
> >
> >

> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users





More information about the Pdns-users mailing list