[Pdns-users] LUA records + DNSSEC

Martijn Grendelman martijn.grendelman at isaac.nl
Wed May 27 09:39:30 UTC 2020


We have a simple setup with a PowerDNS master and two PowerDNS slaves
(AXFR).  Our zones are generally signed with DNSSEC and everything has
been working fine. Recently, I started experimenting with LUA records,
and for those, we're seeing problems (SERVFAIL) when we query them
through 3rd party resolvers.

At first, I seem to have missed this tiny paragraph in the documentation
for LUA records:

"LUA records can be DNSSEC signed, but because they are dynamic, it is
not possible to combine pre-signed DNSSEC zone and LUA records. In other
words, the signing key must be available on the server creating answers
based on LUA records."

It makes sense, and indeed, when I query the slaves for the LUA records,
I don't get any RRSIGs, so I suspect that this must be the problem.

My question is: /how/ do I make the signing key availabe on the slaves?
Does this imply that I have to switch to a form of native replication,
or is there a way to make this work with AXFR? I spent a few hours
Googling for this, but I haven't found any clues.

Met vriendelijke groet,
Best regards,

Martijn Grendelman

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20200527/cb776a15/attachment.htm>

More information about the Pdns-users mailing list