[Pdns-users] LUA records + DNSSEC

Edward Dore edward.dore at freethought-internet.co.uk
Wed May 27 10:18:45 UTC 2020


Hi Martijn,

Native zones with replication might be the easiest from a management point of view (remember to encrypt the replication data so that you don’t expose your keys), but online signing should work fine with slave zones.

Use "pdnsutil export-zone-key” to export the private key on the master, securely copy it to the slave servers somehow and then import it with "pdnsutil import-zone-key”.

You’re probably going to need to use "pdnsutil unset-presigned” as well as the zones are pre-signed at the moment.

Make sure you set any NSEC/NSEC3 parameters etc. the same on the slave servers - basically make the output of "pdnsutil show-zone” match between the master and slave.

Edward Dore 
Freethought Internet 

> On 27 May 2020, at 10:39, Martijn Grendelman via Pdns-users <pdns-users at mailman.powerdns.com> wrote:
> 
> Hi,
> 
> We have a simple setup with a PowerDNS master and two PowerDNS slaves (AXFR).  Our zones are generally signed with DNSSEC and everything has been working fine. Recently, I started experimenting with LUA records, and for those, we're seeing problems (SERVFAIL) when we query them through 3rd party resolvers.
> 
> At first, I seem to have missed this tiny paragraph in the documentation for LUA records:
> 
> "LUA records can be DNSSEC signed, but because they are dynamic, it is not possible to combine pre-signed DNSSEC zone and LUA records. In other words, the signing key must be available on the server creating answers based on LUA records."
> 
> It makes sense, and indeed, when I query the slaves for the LUA records, I don't get any RRSIGs, so I suspect that this must be the problem.
> 
> My question is: how do I make the signing key availabe on the slaves? Does this imply that I have to switch to a form of native replication, or is there a way to make this work with AXFR? I spent a few hours Googling for this, but I haven't found any clues.
> 
> Met vriendelijke groet,
> Best regards,
> 
> Martijn Grendelman
> 
> 
> 
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20200527/07d9684d/attachment.htm>


More information about the Pdns-users mailing list