[Pdns-users] Setting up intentionally invalid DNSSEC record in auto-secure environment

Pieter Lexis pieter.lexis at powerdns.com
Sat Jan 9 20:22:59 UTC 2016

Hi William,

On Sat, 9 Jan 2016 13:41:51 -0600
Nick Williams <nicholas at nicholaswilliams.net> wrote:

> I can’t think of anything I missed. And, clearly, PowerDNS is
> correctly generating NSEC3 records. But it’s not signing those
> records.

This is because the zone is presigned, PowerDNS cannot generate the
signatures on the NSEC records, as it assumes the NSEC records and
RRSIGs are in place (as presigned zone most likely don't have the key
material online). This is the case when e.g. a zone is slaved or signed
using opendnssec.

Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com

More information about the Pdns-users mailing list