[Pdns-users] Setting up intentionally invalid DNSSEC record in auto-secure environment

Nick Williams nicholas at nicholaswilliams.net
Sat Jan 9 19:41:51 UTC 2016

So, I think I’ve almost got this, but I’m having a problem with the pre-signed zone’s NSEC3 RRSIGs. Here’s what I did:

I already have a live-signed zone (my-zone.com) that works perfectly. A-records come with automatic RRSIGs, SOA record comes with an RRSIG, NS records come with an RRSIG, etc. I added a presigned delegated subzone by:

1. Creating a new domain d7e8ac.test-records.my-zone.com <http://d7e8ac.test-records.my-zone.com/>.
2. Running `pdnssec secure-zone d7e8ac.test-records.my-zone.com <http://d7e8ac.test-records.my-zone.com/>` and `pdnssec set-nsec3 d7e8ac.test-records.my-zone.com <http://d7e8ac.test-records.my-zone.com/> 1 0 3 B45550` so that the keys and NSEC3 params are automatically created for me by PowerDNS.
3. Creating the SOA, NS, and A (namely, good.d7e8ac.test-records.my-zone.com <http://good.d7e8ac.test-records.my-zone.com/> and bad.d7e8ac.test-records.my-zone.com <http://bad.d7e8ac.test-records.my-zone.com/>) records I want.
4. Running `pdnssec rectify-zone d7e8ac.test-records.my-zone.com <http://d7e8ac.test-records.my-zone.com/>`.
5. Copying down all of the RRSIG records that PowerDNS live-generates.
6. Running `pdnssec set-presigned d7e8ac.test-records.my-zone.com <http://d7e8ac.test-records.my-zone.com/>` to disable live-signing.
7. Inserting the RRSIG records that PowerDNS previously created into MySQL.
8. Creating the NS records in my-zone.com <http://my-zone.com/> for the d7e8ac.test-records.my-zone.com <http://d7e8ac.test-records.my-zone.com/> subzone pointing to the same servers.
9. Inserting the DS records in my-zone.com <http://my-zone.com/> for the d7e8ac.test-records.my-zone.com <http://d7e8ac.test-records.my-zone.com/> subzone using the DS records from `pdnssec show-zone`.

I have not yet munged the RRSIG for bad.d7e8ac.test-records.my-zone.com <http://bad.d7e8ac.test-records.my-zone.com/>, so it is still correctly signed. In other words, d7e8ac.test-records.my-zone.com <http://d7e8ac.test-records.my-zone.com/> should be just like any other pre-signed zone, except it’s a subzone.

So, I ran a thorough analysis of my-zone.com <http://my-zone.com/> using http://dnsviz.net <http://dnsviz.net/>, just to make sure it hadn’t been affected, and everything checked out perfectly. I can also query any and all records through my verifying recursors and they get returned. And, if I dig the non-existent dne.my-zone.com <http://dne.my-zone.com/>, I get back NXDOMAIN with NSEC3 and RRSIG records as show below. It’s all perfect:

my-zone.com.		1800	IN	SOA	dns1.my-zone.com. noc.my-zone.com. 2016010608 10800 3600 604800 1800
my-zone.com.		1800	IN	RRSIG	SOA 8 2 86400 20160121000000 20151231000000 33379 my-zone.com. I2AxpLVafoux...
8jioqnlor5460c8jk6s0uqnlqobfsad1.my-zone.com. 1800 IN NSEC3 1 0 3 D4AF00 9T62A084PPEDCI0UGGCE6O1CBS88UP2G A NS SOA MX TXT RRSIG DNSKEY NSEC3PARAM
8jioqnlor5460c8jk6s0uqnlqobfsad1.my-zone.com. 1800 IN RRSIG NSEC3 8 3 1800 20160121000000 20151231000000 33379 my-zone.com. IOUTkKrHTp...
0dfe8me5brlq9g3ap8itfpiugjajs2is.my-zone.com. 1800 IN NSEC3 1 0 3 D4AF00 7RL9CKFSF6N7NQ3CJ78S9MVLPJB0T9G0 A RRSIG
0dfe8me5brlq9g3ap8itfpiugjajs2is.my-zone.com. 1800 IN RRSIG NSEC3 8 3 1800 20160121000000 20151231000000 33379 my-zone.com. Hbr5ir8PlS+/...
hb7aqcuebqfhou10qfsgcbu83no1plbb.my-zone.com. 1800 IN NSEC3 1 0 3 D4AF00 O7EF2SKIOJJKFASIIMVQGHUO03I2BNP5
hb7aqcuebqfhou10qfsgcbu83no1plbb.my-zone.com. 1800 IN RRSIG NSEC3 8 3 1800 20160121000000 20151231000000 33379 my-zone.com. EljCuzDzUA…

I then ran a thorough analysis of d7e8ac.test-records.my-zone.com <http://d7e8ac.test-records.my-zone.com/> using the same website and MOST things turned out perfectly. The NS, SOA, and A records all check out. However, I couldn’t query them through my verifying precursors—I get NXDOMAIN every time. (I could query through my verifying recursors before setting the zone to presigned.) That’s what led me to check the non-existent dne.d7e8ac.test-records.my-zone.com <http://dne.d7e8ac.test-records.my-zone.com/>. And that revealed the problem. The documentation says presigned zones should NOT include NSEC3 records or their RRSIGs, because PowerDNS still automatically generates NSEC3 records and their RRSIGs for presigned zones. But it’s not. It’s only returning the NSEC3 records, unsigned:

d7e8ac.test-records.my-zone.com. 1800 IN SOA	dns1.my-zone.com. noc.my-zone.com. 2016010701 10800 3600 604800 1800
d7e8ac.test-records.my-zone.com. 1800 IN RRSIG SOA 8 4 86400 20160121000000 20151231000000 34311 d7e8ac.test-records.my-zone.com. fJYArsO2S...
prhpl89qu0ncp23b3qhr10citsu7gs2n.d7e8ac.test-records.my-zone.com. 1800 IN NSEC3 1 0 3 B45550 H09M6KE4HUPDK9Q1NMF53UTSDBFDIIIC NS SOA RRSIG DNSKEY NSEC3PARAM
h09m6ke4hupdk9q1nmf53utsdbfdiiic.d7e8ac.test-records.my-zone.com. 1800 IN NSEC3 1 0 3 B45550 OV9D2N9BPO4FQVELB9H5O3SGSN329H1U A RRSIG

I can’t think of anything I missed. And, clearly, PowerDNS is correctly generating NSEC3 records. But it’s not signing those records.

Any insights as to what might be wrong?



> On Jan 6, 2016, at 2:38 PM, leen at consolejunkie.net wrote:
> On 2016-01-06 20:42, Nicholas Williams wrote:
>> I'll look into that other script. Thanks, Bert.
>>>  How about a creating a separate sub-zone with a broken presigned
>>>  You can set presigned for just that single zone using the
>> PRESIGNED domain metadata[1] int your database.
>> I really like this idea in combination. That documentation that Pieter
>> sent me should help me get set up with presigning. But, Leen, how
>> would I set up a subzone delegated to the same authoritative server
>> (or can I, even?)? Can you point me to that documentation?
> It's just a domain & delegation like any other (this is the same thing the TLD does for you):
> Just have both a autosigned-domain.tld and presigned-subzone.autosigned-domain.tld in the domains-table like any normal domain.
> Both domains should have NS and SOA records in the records table like any normal domain.
> Then create the delegation in the autosigned-domain.tld domain by adding the NS-records pointing to the presigned-subzone.autosigned-domain.tld
> Domain_id: autosigned-domain.tld ; name: presigned-subzone.autosigned-domain.tld ; type: NS ; content: ns1.autosigned-domain.tld
> Domain_id: autosigned-domain.tld ; name: presigned-subzone.autosigned-domain.tld ; type: NS ; content: ns2.autosigned-domain.tld
> Now because it's DNSSEC you need to make it secure.
> Assuming you want to sign the sub-zone for testing:
> pdnssec secure-zone presigned-subzone.autosigned-domain.tld
> The you can grab the DS-record which the needs to be added to the parent zone:
> pdnssec show-zone presigned-subzone.autosigned-domain.tld
> To know what the DS-record is.
> Add the DNSSEC DS-record for presigned-subzone.autosigned-domain.tld in the autosigned-domain.tld domain.
> domain_id: autosigned-domain.tld; name: presigned-subzone.autosigned-domain.tld	; type: DS	; content: '5725 8 2 512fa6fe4d1f9ba974832e3456c4769db6c16ca1...'
> Hope that makes it clear.
> You should now be able to look up a DNSSEC-signed record for the presigned-subzone.autosigned-domain.tld for example the SOA-record.
> Have a good day,
> Leen.
>> Google really hasn't indexed this documentation very well at all...
>> Thanks,
>> Nick
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20160109/f054aa31/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4142 bytes
Desc: not available
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20160109/f054aa31/attachment-0001.bin>

More information about the Pdns-users mailing list