[Pdns-users] auth: How are two backends (e.g. BIND + gsqlite3) supposed to work together?
Gert van Dijk
gertvdijk+pdns-users at gmail.com
Tue Oct 20 22:27:29 UTC 2020
I'm running PowerDNS Authoritative 4.3.1 in a hidden-master setup, with
BIND backend primarily, and that's working just fine. For a more dynamic
subzone I added gsqlite3 backend and was hoping that it would be possible
to work in a single instance.
At first, it was looking just fine: adding a zone with pdnsutil create-zone
ended up in the SQLite3 database and I can query records, AXFR to the
secondary servers is working fine as well. The BIND zones are with DNSSEC,
but the new dynamic zone is still unsigned at this point. Cool so far.
For what it's worth, I am ignoring one error at this point too (looks like
Should not get here (dynamic.i6t.nl|1): please run pdnsutil rectify-zone
Then I started to play with TSIG for dnsupdate. Using pdnsutil the
generated key ended up in the wrong database: the BIND DNSSEC metadata
SQLite database instead of the gsqlite3-db. Hmm, that looks like bug 2. I
moved the key and metadata in the table myself and was hoping that it would
work, but upon an nsupdate after a restart it still shows
UPDATE (62273) from 10.x.x.x for dynamic.i6t.nl: TSIG is provided, but
domain is not secured with TSIG. Processing continues
and I'm able to perform updates without any TSIG key.
Then enabling DNSSEC (pdnsutil secure-zone dynamic.i6t.nl) also resulted in
the error (bug 3?); key material and metadata ended up in the BIND database.
This makes me think; is it even supposed to work together; BIND with DNSSEC
and gsqlite3 as backends in the same instance or am I required to run a
separate one? The documentation seems to lack information on how enabling
multiple backends is to be operated and how tooling like pdnsutil is
supposed to pick the right backend to operate on (e.g. create-zone).
Perhaps I'm missing something.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Pdns-users