[Pdns-users] Forward queries for non-existent records to hidden master (NSEC3 narrow)

Peter Thomassen peter at desec.io
Fri Sep 9 01:39:13 UTC 2016

Hi all,

I would like to set up frontend nameservers in various locations which
have copies of my zone files (i.e., slaves). I would like the zones to
be pre-signed, but use NSEC3 in narrow mode at the same time.

NSEC3 narrow requires live signing of replies. However, I would like to
avoid having the key material on the frontend nameservers. Instead, my
favorite setup would be to have the slaves answer questions for existing
records directly (including RRSIG), and forward questions for
non-existing records to a hidden master, which returns live-signed NSEC3
records (narrow).

If this worked, the frontend nameservers could be in various locations,
providing fast replies for existing records, whereas the keys would be
in one location only. There would be a small added latency for NSEC3
replies, depending on the location of the frontend server involved, but
I'd be fine with that.

I already tried to achieve this with a pdns master/slave setup as well
as with an auth+recursor setup (making use of auth-zones in the recursor
configuration), but did not succeed.

Is it possible at all? (Can it be done using the rules capabilities in

Thanks a lot,

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20160908/4be21e1c/attachment.sig>

More information about the Pdns-users mailing list