[Pdns-users] Serve presigned auth-zones with pdns-recursor

Pieter Lexis pieter.lexis at powerdns.com
Fri Sep 9 10:00:06 UTC 2016


On Thu, 8 Sep 2016 22:32:05 -0300
Peter Thomassen <peter at desec.io> wrote:

> I set up a the recursor (4.0.3) with a separate zone file that I
> declared authoritative using the auth-zones directive. The zone file
> contains DNSSEC signatures.
> However, when querying the recursor using dig +dnssec, only the
> requested record types (e.g. A) are returned, but not the RRSIG records
> (although they can be requested manually).
> Is this intended?
> I am aware that there would be complications in narrow NSEC3 mode when
> non-existent records are queried, but with regular NSEC3, everything
> needed can be extracted from the zone file itself (it has an NSEC3PARAM
> record).

DNSSEC signed zones in the recursor are not supported. We are not even sure that this will be supported in the future. As there is no way (apart from reloading the zones) to e.g. update the signatures. We also don't want to turn the recursor into a 'full-fledged' authoritative server. Can you share (in a GitHub issue) what the masterplan behind this kind of configuration is?

Best regards,


Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com

More information about the Pdns-users mailing list