[Pdns-users] Problem with DNSSEC from bind to powerdns

Gert van Dijk gertvdijk+pdns-users at gmail.com
Thu Apr 18 08:42:40 UTC 2019

On Thu, Apr 18, 2019 at 10:24 AM abubin <abubin at gmail.com> wrote:

> I have just installed pdns and pdns-recursor on a server in secondary
> site. The primary site is using CentOS 7 bind to host private DNS.
> I am trying to create a forwarding DNS from bind to pdns in primary site.
> For example, when I query the primary DNS (, it will forward
> certain domains to secondary DNS.
> The zone file for bind have this:
> zone "myown.com" IN {
>         type forward;
>         forward only;
>         forwarders {; };
> };
> However, due to DNSSEC it is not resolving the zone. It will work if I
> disable DNSSEC in bind. I have already enable DNSSEC for myown.com in
> pdns but it still giving error from bind.
> Apr 18 16:15:50 kdns named[25128]: validating www.myown.com/A: no valid
> signature found
> Apr 18 16:15:50 kdns named[25128]: validating www.myown.com/A: bad cache
> hit (www.myown.com/DS)
> Apr 18 16:15:50 kdns named[25128]: broken trust chain resolving '
> www.myown.com/A/IN':
I don't know BIND so much, but it seems to me that it cannot find the DS
records (or they don't match) on the parent zone (e.g. .com). Did you
publish the DS records to your registry (`pdnsutil show-zone [ZONE]` shows
the record(s) you should publish with them)? I am not able to check this,
as you seem to redact the actual names here.
You may also want to check whether DNSSEC validates apart from BIND
altogether. Use tools like `dig` or use online tools like dnsviz.

Also, why do you actually want *forward* those queries from a primary site?
Perhaps I'm missing out on something on what you're trying to achieve in a
broader view, but as far as I understand I would suggest to make the
primary site a secondary for that domain in PowerDNS and transfer it (AXFR,
presigned if you need DNSSEC) directly from the PowerDNS Authoritative
server; you won't even need a PowerDNS recursor then. Is that BIND on your
primary site an authoritative server for some other domains, a recursor or

If your situation is that you don't actually want to run DNSSEC on that
forwarded domain, then you need to configure an NTA as Brian Candler
pointed out. That is because the information in the .com parent zone
information conflicts with the situation on your system (either the domain
does not exist there or it is present, but signed with a different key).

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20190418/6bfe72f8/attachment.html>

More information about the Pdns-users mailing list