[Pdns-users] Problem with DNSSEC from bind to powerdns
b.candler at pobox.com
Thu Apr 18 10:43:24 UTC 2019
On 18/04/2019 11:30, abubin wrote:
> I am sorry as I am very new at this. FYI, both the DNS servers are
> PRIVATE. The domains they are hosting does not get published to the
> internet. It is mainly only for internal usage.
Sure. But your cache is DNSSEC validating, and is rejecting the domain
as bogus - which it certainly is, given that it is a fake domain and
there is no chain of trust back to the root.
So you have two options:
1. Break the DNSSEC chain of trust, using a Negative Trust Anchor. This
tells your recursor: "it's OK that this domain doesn't validate".
2. Fix the DNSSEC chain of trust.
To do option 2, you need to use a real domain. Either buy one, or use a
subdomain of some domain you already control. For example, if you
already own "myown.com", then use "int.myown.com" as your internal
domain. (Aside: this is good practice anyway, as it prevents your
internal names from ever clashing with real names)
Then you can sign int.myown.com, and publish the corresponding DS record
in the myown.com domain.
The domain remains private - the nameservers don't need to be reachable
from the public Internet.
> Link between them is using a lease line.
> I have no problem querying from secondary site (running pdns) to
> primary. However, somehow primary (running BIND) have problem querying
> secondary and the problem is DNSSEC trust issue.
> Take note also they are not running as primary DNS and secondary DNS
> servers. They are both independent of each other. They are each their
> own authoritative DNS server.
In other words, they are both authoritative servers.
"primary" and "secondary" (or "master" and "slave") is just a mechanism
for synchronising authoritative servers. It's optional: you can choose
instead to synchronize the zone contents manually, or to use a database
and synchronize that.
> Sorry but how do I publish DS zone created in secondary into primary?
That question is meaningless, since you already said your servers are
not configured as primary and secondary.
DS records go in the *parent* zone. So if your fake domain is
"myown.com", then the DS record would have to do into the ".com" domain,
managed by Verisign or whoever. That simply cannot happen, unless you
actually own the "myown.com" domain.
> I think alternatively I might need to run them as primary and
> secondary DNS.
I think you have misunderstood a great deal. Primary/secondary is just
a way of copying the zone data from one server to another. If you've
already manually copied the data, then they are already in sync.
More information about the Pdns-users