[Pdns-users] Setting up intentionally invalid DNSSEC record in auto-secure environment

Michael Loftis mloftis at wgops.com
Wed Jan 6 20:29:12 UTC 2016


On Wed, Jan 6, 2016 at 11:42 AM, Nicholas Williams
<nicholas at nicholaswilliams.net> wrote:
> I'll look into that other script. Thanks, Bert.
>> How about a creating a separate sub-zone with a broken presigned DNSSEC
>> You can set presigned for just that single zone using the PRESIGNED domain
>> metadata[1] int your database.
> I really like this idea in combination. That documentation that Pieter sent
> me should help me get set up with presigning. But, Leen, how would I set up
> a subzone delegated to the same authoritative server (or can I, even?)? Can
> you point me to that documentation?

B/C the server is the same you don't necessarily need to setup the
delegation in the zone with records table.  You just need to have it
in the domains table.  That said you *can* totally do a full
delegation.  You just insert NS records into the parent zone records
w/ the parent domain_id, and do SOA+NS/whatever you normally do
(synthetic SOA/generated SOA comes to mind) inside the delegated zone
(child) domain_id...there's no magic to delegations.  You'll have like
2x the NS records for a self delegated zone (as the parent zone will
have the same records with a the parent/delegating domain_id)

> Google really hasn't indexed this documentation very well at all...
> Thanks,
> Nick

-- Samuel Butler

More information about the Pdns-users mailing list