[Pdns-users] DNSSEC UDP problems

steffannoord at gmail.com steffannoord at gmail.com
Tue Mar 9 14:39:18 UTC 2021

Oke thanxs.
Then i will remove the dnssec from that domains 😊

Met vriendelijke groet,
Steffan Noord 

-----Oorspronkelijk bericht-----
Van: Pdns-users <pdns-users-bounces at mailman.powerdns.com> Namens Pieter Lexis via Pdns-users
Verzonden: dinsdag 9 maart 2021 15:32
Aan: pdns-users at mailman.powerdns.com
Onderwerp: Re: [Pdns-users] DNSSEC UDP problems


On 3/9/21 3:01 PM, Steffan via Pdns-users wrote:
>> Are you actually using AXFR to transfer the zone to the nameservers? 
>> Or are
> you using database replication? Because ALIAS live-signing is not 
> implemented, only signing on AXFR-out is implemented. This is in the 
> documentation I sent you earlier and there's an open >ticket[1] (point 
> 6) as well.
> Im using mysql backend on both dns servers Both are set up as masters, 
> and mysql is replicated from the master DB server

So the answer to my question was "No, the public nameservers serve the expanded ALIASes directly". Which is exactly the situation in which the expanded ALIAS records are not signed, leading to the issues you have.

The only way to get a signed, expanded ALIAS response is to AXFR from a hidden primary to public secondaries. PowerDNS will then sign the expanded ALIAS data when it serves out the AXFR.

I hope this clears up the confusion somewhat.

>> 1 - https://github.com/PowerDNS/pdns/issues/3838
> -im sorry for the beginners question.. for so far i know it has 
> allways works

Live-signing expanded ALIAS records never worked, in any version of PowerDNS. This is on our wish-list, but no work has been done there, as all known ALIAS installations use the AXFR method.



Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com _______________________________________________
Pdns-users mailing list
Pdns-users at mailman.powerdns.com

More information about the Pdns-users mailing list