[Pdns-users] Setting up intentionally invalid DNSSEC record in auto-secure environment

[Nicholas Williams]

Sent from my iPhone, so please forgive brief replies and frequent typos

> On Jan 9, 2016, at 14:22, Pieter Lexis <pieter.lexis at powerdns.com> wrote:
> 
> Hi William,
> 
> On Sat, 9 Jan 2016 13:41:51 -0600
> Nick Williams <nicholas at nicholaswilliams.net> wrote:
> 
>> I can’t think of anything I missed. And, clearly, PowerDNS is
>> correctly generating NSEC3 records. But it’s not signing those
>> records.
> 
> This is because the zone is presigned, PowerDNS cannot generate the
> signatures on the NSEC records, as it assumes the NSEC records and
> RRSIGs are in place (as presigned zone most likely don't have the key
> material online). This is the case when e.g. a zone is slaved or signed
> using opendnssec.

But the documentation says the opposite. It says NOT to create NSEC(3) records (in fact, zone2sql intentionally ignores them, even for presigned zones), because (again, it says) PowerDNS generates then automatically, even for presigned zones. It also says that manually inserting NSEC3 records could cause errors. So the documentation makes clear that, on presigned zones, it is still the authority. Indeed, PowerDNS IS generating the NSEC3 records (as I showed), just not signing them.

How could I possibly presign records that PowerDNS generates? I can't. So why does PowerDNS prohibit me creating NSEC3 records, generate them for me, but not sign them?

That is, at best, poor design. But I'm confident it's a bug or I've configured something incorrectly. 

If I'm doing this correctly, it doesn't appear possible to host a presigned zone with PowerDNS.

Thanks,

Nick