[Pdns-users] LUA records + DNSSEC
Martijn Grendelman
martijn.grendelman at isaac.nl
Wed May 27 09:39:30 UTC 2020
Hi,
We have a simple setup with a PowerDNS master and two PowerDNS slaves
(AXFR). Our zones are generally signed with DNSSEC and everything has
been working fine. Recently, I started experimenting with LUA records,
and for those, we're seeing problems (SERVFAIL) when we query them
through 3rd party resolvers.
At first, I seem to have missed this tiny paragraph in the documentation
for LUA records:
"LUA records can be DNSSEC signed, but because they are dynamic, it is
not possible to combine pre-signed DNSSEC zone and LUA records. In other
words, the signing key must be available on the server creating answers
based on LUA records."
It makes sense, and indeed, when I query the slaves for the LUA records,
I don't get any RRSIGs, so I suspect that this must be the problem.
My question is: /how/ do I make the signing key availabe on the slaves?
Does this imply that I have to switch to a form of native replication,
or is there a way to make this work with AXFR? I spent a few hours
Googling for this, but I haven't found any clues.
Met vriendelijke groet,
Best regards,
Martijn Grendelman
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20200527/cb776a15/attachment.htm>
More information about the Pdns-users
mailing list