[Pdns-users] Setting up intentionally invalid DNSSEC record in auto-secure environment

Pieter Lexis pieter.lexis at powerdns.com
Sat Jan 9 21:28:33 UTC 2016

Hi Nick,

On Sat, 9 Jan 2016 14:48:12 -0600
Nicholas Williams <nicholas at nicholaswilliams.net> wrote:

> But the documentation says the opposite. It says NOT to create
> NSEC(3) records (in fact, zone2sql intentionally ignores them, even
> for presigned zones), because (again, it says) PowerDNS generates
> then automatically, even for presigned zones. It also says that
> manually inserting NSEC3 records could cause errors. So the
> documentation makes clear that, on presigned zones, it is still the
> authority. Indeed, PowerDNS IS generating the NSEC3 records (as I
> showed), just not signing them.

This is indeed the way this works. As the NXDOMAIN generation code
works as it should, the design choice was made to 'just' generate NSECs
on the fly. The signatures still have to be provided in the presigned

> How could I possibly presign records that PowerDNS generates? I
> can't. So why does PowerDNS prohibit me creating NSEC3 records,
> generate them for me, but not sign them?

This is because pre-signed zones (from e.g. opendnssec, ldns-signzone
or slaved from a master) contain the RRSIGs to the negative answers.

> That is, at best, poor design. But I'm confident it's a bug or I've
> configured something incorrectly. 

I agree this is and 'interesting' design choice made back in the day.
In normal operation (using other tools to generate DNSSEC records or
slaving the zone) this will never come up.

I agree that the docs are not very verbose on how presigned zone work,
we'll fix this in the coming weeks.

Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com

More information about the Pdns-users mailing list