[Pdns-users] LUA records + DNSSEC
Peter van Dijk
peter.van.dijk at powerdns.com
Sun May 31 21:33:07 UTC 2020
On Wed, 2020-05-27 at 11:39 +0200, Martijn Grendelman via Pdns-users wrote:
> We have a simple setup with a PowerDNS master and two PowerDNS slaves (AXFR). Our zones are generally signed with DNSSEC and everything has been working fine. Recently, I started experimenting with LUA records, and for those, we're seeing problems (SERVFAIL) when we query them through 3rd party resolvers.
> At first, I seem to have missed this tiny paragraph in the documentation for LUA records:
> "LUA records can be DNSSEC signed, but because they are dynamic, it is not possible to combine pre-signed DNSSEC zone and LUA records. In other words, the signing key must be available on the server creating answers based on LUA records."
> It makes sense, and indeed, when I query the slaves for the LUA records, I don't get any RRSIGs, so I suspect that this must be the problem.
> My question is: how do I make the signing key availabe on the slaves? Does this imply that I have to switch to a form of native replication, or is there a way to make this work with AXFR? I spent a few hours Googling for this, but I haven't found any clues.
Native replication is one option. The other option is having a non-signing master that your slaves, that all have a copy of your keys, AXFR from.
The 'remove presigned' trigger from your other email might work but is not a configuration we support or run tests for - so it could break on upgrades.
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/
More information about the Pdns-users