[Pdns-users] Problem with DNSSEC from bind to powerdns

abubin abubin at gmail.com
Thu Apr 18 10:30:53 UTC 2019


I am sorry as I am very new at this. FYI, both the DNS servers are PRIVATE.
The domains they are hosting does not get published to the internet. It is
mainly only for internal usage. Link between them is using a lease line. I
have no problem querying from secondary site (running pdns) to primary.
However, somehow primary (running BIND) have problem querying secondary and
the problem is DNSSEC trust issue.

Take note also they are not running as primary DNS and secondary DNS
servers. They are both independent of each other. They are each their own
authoritative DNS server.

Sorry but how do I publish DS zone created in secondary into primary?

I think alternatively I might need to run them as primary and secondary DNS.


On Thu, Apr 18, 2019 at 4:42 PM Gert van Dijk <
gertvdijk+pdns-users at gmail.com> wrote:

> On Thu, Apr 18, 2019 at 10:24 AM abubin <abubin at gmail.com> wrote:
>> I have just installed pdns and pdns-recursor on a server in secondary
>> site. The primary site is using CentOS 7 bind to host private DNS.
>> I am trying to create a forwarding DNS from bind to pdns in primary site.
>> For example, when I query the primary DNS (, it will forward
>> certain domains to secondary DNS.
>> The zone file for bind have this:
>> zone "myown.com" IN {
>>         type forward;
>>         forward only;
>>         forwarders {; };
>> };
>> However, due to DNSSEC it is not resolving the zone. It will work if I
>> disable DNSSEC in bind. I have already enable DNSSEC for myown.com in
>> pdns but it still giving error from bind.
>> Apr 18 16:15:50 kdns named[25128]: validating www.myown.com/A: no valid
>> signature found
>> Apr 18 16:15:50 kdns named[25128]: validating www.myown.com/A: bad cache
>> hit (www.myown.com/DS)
>> Apr 18 16:15:50 kdns named[25128]: broken trust chain resolving '
>> www.myown.com/A/IN':
> I don't know BIND so much, but it seems to me that it cannot find the DS
> records (or they don't match) on the parent zone (e.g. .com). Did you
> publish the DS records to your registry (`pdnsutil show-zone [ZONE]` shows
> the record(s) you should publish with them)? I am not able to check this,
> as you seem to redact the actual names here.
> You may also want to check whether DNSSEC validates apart from BIND
> altogether. Use tools like `dig` or use online tools like dnsviz.
> Also, why do you actually want *forward* those queries from a primary
> site? Perhaps I'm missing out on something on what you're trying to achieve
> in a broader view, but as far as I understand I would suggest to make the
> primary site a secondary for that domain in PowerDNS and transfer it (AXFR,
> presigned if you need DNSSEC) directly from the PowerDNS Authoritative
> server; you won't even need a PowerDNS recursor then. Is that BIND on your
> primary site an authoritative server for some other domains, a recursor or
> both?
> If your situation is that you don't actually want to run DNSSEC on that
> forwarded domain, then you need to configure an NTA as Brian Candler
> pointed out. That is because the information in the .com parent zone
> information conflicts with the situation on your system (either the domain
> does not exist there or it is present, but signed with a different key).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20190418/b4022358/attachment.html>

More information about the Pdns-users mailing list