[Pdns-users] Problem with DNSSEC from bind to powerdns

Brian Candler b.candler at pobox.com
Thu Apr 18 10:43:24 UTC 2019

On 18/04/2019 11:30, abubin wrote:
> I am sorry as I am very new at this. FYI, both the DNS servers are 
> PRIVATE. The domains they are hosting does not get published to the 
> internet. It is mainly only for internal usage.

Sure.  But your cache is DNSSEC validating, and is rejecting the domain 
as bogus - which it certainly is, given that it is a fake domain and 
there is no chain of trust back to the root.

So you have two options:

1. Break the DNSSEC chain of trust, using a Negative Trust Anchor.  This 
tells your recursor: "it's OK that this domain doesn't validate".

2. Fix the DNSSEC chain of trust.

To do option 2, you need to use a real domain.  Either buy one, or use a 
subdomain of some domain you already control.  For example, if you 
already own "myown.com", then use "int.myown.com" as your internal 
domain.  (Aside: this is good practice anyway, as it prevents your 
internal names from ever clashing with real names)

Then you can sign int.myown.com, and publish the corresponding DS record 
in the myown.com domain.

The domain remains private - the nameservers don't need to be reachable 
from the public Internet.

> Link between them is using a lease line.

That's irrelevant.

> I have no problem querying from secondary site (running pdns) to 
> primary. However, somehow primary (running BIND) have problem querying 
> secondary and the problem is DNSSEC trust issue.

See above.

> Take note also they are not running as primary DNS and secondary DNS 
> servers. They are both independent of each other. They are each their 
> own authoritative DNS server.

In other words, they are both authoritative servers.

"primary" and "secondary" (or "master" and "slave") is just a mechanism 
for synchronising authoritative servers.  It's optional: you can choose 
instead to synchronize the zone contents manually, or to use a database 
and synchronize that.

> Sorry but how do I publish DS zone created in secondary into primary?
That question is meaningless, since you already said your servers are 
not configured as primary and secondary.

DS records go in the *parent* zone.  So if your fake domain is 
"myown.com", then the DS record would have to do into the ".com" domain, 
managed by Verisign or whoever.  That simply cannot happen, unless you 
actually own the "myown.com" domain.

> I think alternatively I might need to run them as primary and 
> secondary DNS.
I think you have misunderstood a great deal.  Primary/secondary is just 
a way of copying the zone data from one server to another.  If you've 
already manually copied the data, then they are already in sync.

More information about the Pdns-users mailing list