[Pdns-users] Problem with DNSSEC from bind to powerdns

Gert van Dijk gertvdijk+pdns-users at gmail.com
Thu Apr 18 10:51:23 UTC 2019

On Thu, Apr 18, 2019 at 12:31 PM abubin <abubin at gmail.com> wrote:

> I am sorry as I am very new at this.
That's okay! I was new to details on DNSSEC until a month ago too. :-)

> FYI, both the DNS servers are PRIVATE. The domains they are hosting does
> not get published to the internet. It is mainly only for internal usage.
This basically means you can't use DNSSEC in a regular fashion and this is
a common issue with internal (sub) domains. NTA at your recursor is your
only option as far as I understand (I think your BIND is a recursor and an
authoritative server at the same time, but you didn't clearly state that).
If you need DNSSEC with private internal domains, you're going to have a
hard time installing additional trust anchors.

> I have no problem querying from secondary site (running pdns) to primary.
Do you also run (and query) an internal private domain on the primary BIND
instance? If so, did you enable dnssec validation on the application you
queried with? (e.g. PowerDNS recursor with config dnssec=validate or
systemd resolved with DNSSEC=yes)\

> However, somehow primary (running BIND) have problem querying secondary
> and the problem is DNSSEC trust issue.
 Because you instructed BIND to be strict about DNSSEC and the parent zone
(.com or whatever) is signed, and claims this domain is not present
(probably, but again, you didn't provide enough details).

Take note also they are not running as primary DNS and secondary DNS
> servers. They are both independent of each other. They are each their own
> authoritative DNS server.
So perhaps stop calling them primary/secondary? :-) They're both
single-istance-primary servers for the zones they serve, and both sites are
configured to find each other for certain domains.

> Sorry but how do I publish DS zone created in secondary into primary?
DS is a record type published at the parent, its data is the hash of the
DNSKEY used at the actual zone. That will only work if your zone is public,
because .com is public. You can't really fake-insert a DS record on .com
for your domain as far as I know.

> I think alternatively I might need to run them as primary and secondary
> DNS.
You could, but that does not solve your DNSSEC issue. Even if you transfer
the zone from the PowerDNS Authoritative server to the BIND server, it will
not validate on DNSSEC for .com and you still need an NTA.

(While typing this I see most of it is already quite redundant to what
Brian Candler just said.)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20190418/e2697fd8/attachment.html>

More information about the Pdns-users mailing list