[Pdns-users] Serve presigned auth-zones with pdns-recursor

[Peter Thomassen]

Hi Pieter,

On 09/09/2016 07:00 AM, Pieter Lexis wrote:
>> I set up a the recursor (4.0.3) with a separate zone file that I
>> declared authoritative using the auth-zones directive. The zone file
>> contains DNSSEC signatures.
>>
>> However, when querying the recursor using dig +dnssec, only the
>> requested record types (e.g. A) are returned, but not the RRSIG records
>> (although they can be requested manually).
>>
>> Is this intended?
>>
>> I am aware that there would be complications in narrow NSEC3 mode when
>> non-existent records are queried, but with regular NSEC3, everything
>> needed can be extracted from the zone file itself (it has an NSEC3PARAM
>> record).
> 
> DNSSEC signed zones in the recursor are not supported. We are not even sure that this will be supported in the future. As there is no way (apart from reloading the zones) to e.g. update the signatures. We also don't want to turn the recursor into a 'full-fledged' authoritative server. Can you share (in a GitHub issue) what the masterplan behind this kind of configuration is?

I just noticed this when playing around with the auth-zones feature of
the recursor. This doesn't have a solid justified use case, so I don't
think it's worth a GitHub issue.

However, the current state of the documentation suggests that this is
supported (dnssec=process-no-validate: "will provide DNSSEC related
RRsets (NSEC, RRSIG) to clients that ask for them", together with
auth-zones: "Zones read from these files (in BIND format) are served
authoritatively"). I will submit a pull request to improve the
documentation.

Best,
Peter

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20160909/3ef85b5a/attachment-0001.sig>