[Pdns-users] Problem with DNSSEC from bind to powerdns

Gert van Dijk gertvdijk+pdns-users at gmail.com
Thu Apr 18 09:29:56 UTC 2019


On Thu, Apr 18, 2019 at 11:18 AM abubin <abubin at gmail.com> wrote:

> I have looked into Bind's negative trust anchor implementation. Seems like
> in Bind, this option cannot be specified to more than 1 week. After 1 week
> the negative trust will be removed.
>

The content you quote yourself seems to indicate otherwise:

> The -force overrides this behavior and forces an NTA to persist for its
entire
> lifetime, regardless of whether data could be validated if the NTA were
not present.

Is there a "correct" way of implementing this "trust" between the servers?
> DNSSEC keys sharing or something?
>

DNSSEC is not a trust between servers. It's a whole chain of signatures,
from every zone delegation down to the RRSIGs on the record sets. DNS is a
public system, not something like shared secrets to provide trust.

In fact, what you were trying to do is violating DNSSEC; the .com parent
zone provides a signed response about your mydomain\.com zone (e.g. does
not exist or DS records etc.), which does not correspond with what BIND is
seeing (the domain does exist, or the DNSKEY hash does not match the DS
record from the parent). The NTA works around that part and basically
disables DNSSEC from that point of delegation.

Please note that with NTA, your validating clients also don't see an
authenticated response from the recursor on that domain in NTA. Specific
example: OpenSSH and SSHFP records - clients will see DNS responses without
the AD bit flag set and ignore them.

HTH
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20190418/9330330f/attachment.html>


More information about the Pdns-users mailing list