[Pdns-users] DNSSEC UDP problems

Pieter Lexis pieter.lexis at powerdns.com
Tue Mar 9 14:31:55 UTC 2021


Hi,

On 3/9/21 3:01 PM, Steffan via Pdns-users wrote:
>> Are you actually using AXFR to transfer the zone to the nameservers? Or are
> you using database replication? Because ALIAS live-signing is not
> implemented, only signing on AXFR-out is implemented. This is in the
> documentation I sent you earlier and there's an open >ticket[1] (point 6) as
> well.
> 
> Im using mysql backend on both dns servers
> Both are set up as masters, and mysql is replicated from the master DB
> server

So the answer to my question was "No, the public nameservers serve the
expanded ALIASes directly". Which is exactly the situation in which the
expanded ALIAS records are not signed, leading to the issues you have.

The only way to get a signed, expanded ALIAS response is to AXFR from a
hidden primary to public secondaries. PowerDNS will then sign the
expanded ALIAS data when it serves out the AXFR.

I hope this clears up the confusion somewhat.

>> 1 - https://github.com/PowerDNS/pdns/issues/3838
> 
> -im sorry for the beginners question.. for so far i know it has allways
> works

Live-signing expanded ALIAS records never worked, in any version of
PowerDNS. This is on our wish-list, but no work has been done there, as
all known ALIAS installations use the AXFR method.

Cheers,

Pieter

-- 
Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com


More information about the Pdns-users mailing list