[Pdns-users] RRSIG Registers Missing on Primary Server
Alexander Varejão
frater.alexander at gmail.com
Mon Nov 22 14:55:00 UTC 2021
Dears, I'm new to PowerDNS.
I'm using three virtual machines:
- One authoritative with mysql backend
- Two Secundaries with sqlite3 backend
I'm confused about DNSSEC config, could someone help me about it?
My primary has the following configuration
/etc/powerdns/pdns.conf
-----------------------------------------------
allow-axfr-ips=ONE SECONDARY IP HERE,OTHER SECONDARY IP HERE
disable-axfr=no
master=yes
include-dir=/etc/powerdns/pdns.d
launch=
security-poll-suffix=
setgid=pdns
setuid=pdns
-----------------------------------------------
/etc/powerdns/pdns.d/pdns.local.gmysql.conf
-----------------------------------------------
# MySQL Configuration
#
# Launch gmysql backend
launch+=gmysql
# gmysql parameters
gmysql-host="PRIMARY IP"
gmysql-port=3306
gmysql-dbname=powerdns
gmysql-user=powerdns
gmysql-password=PASSWORD HERE
gmysql-dnssec=yes
# gmysql-socket=
-----------------------------------------------
My Secondaries have the following configuration
/etc/powerdns/pdns.conf
-----------------------------------------------
slave=yes
slave-cycle-interval=60
include-dir=/etc/powerdns/pdns.d
launch=
security-poll-suffix=
setgid=pdns
setuid=pdns
-----------------------------------------------
/etc/powerdns/pdns.d/pdns.local.gsqlite.conf
-----------------------------------------------
# SQLITE3 Configuration
#
# Launch gmysql backend
launch+=gsqlite3
# gsqlite3 parameters
gsqlite3-database=/var/lib/pdns/powerdns.db
setuid=pdns
setgid=pdns
gsqlite3-dnssec=yes
-----------------------------------------------
Well, I created a fake zone "strangeword.com" and tried to sign it. On my
primary server I ran
pdnsutil secure-zone strangeworld.net
pdnsutil increase-serial strangeworld.net
pdns_control notify strangeworld.net
So, checking mysql on my primary server I get
MariaDB [powerdns]> select * from cryptokeys \G
*************************** 1. row ***************************
id: 1
domain_id: 4
flags: 257
active: 1
content: Private-key-format: v1.2
Algorithm: 13 (ECDSAP256SHA256)
PrivateKey: LlW87PE+4oj4lXwp+kIN/RoJHVO8NT9RQcZMO5ThkjI=
MariaDB [powerdns]> select name,type,content from records where
domain_id=4;
+----------------------+------+--------------------------------------------------------------------------------------+
| name | type | content
|
+----------------------+------+--------------------------------------------------------------------------------------+
| strangeworld.net | NS | ns1.zzzzzz.com
|
| strangeworld.net | NS | ns2.zzzzzz.com
|
| strangeworld.net | A | xx.xxx.xx.xxx
|
| www.strangeworld.net | A | xx.xxx.xx.xxy
|
| strangeworld.net | MX | mail.strangeworld.net
|
| strangeworld.net | SOA | a.misconfigured.powerdns.server
hostmaster.strangeworld.net 7 10800 3600 604800 3600 |
+----------------------+------+--------------------------------------------------------------------------------------+
Running 'show-zone' on primary I get
pdnsutil show-zone strangeworld.net
Nov 22 14:04:29 [bindbackend] Done parsing domains, 0 rejected, 0 new, 0
removed
This is a Native zone
Metadata items: None
Zone has NSEC semantics
keys:
ID = 1 (CSK), flags = 257, tag = 556, algo = 13, bits = 256 Active (
ECDSAP256SHA256 )
CSK DNSKEY = strangeworld.net. IN DNSKEY 257 3 13
I4KX7NsPuLfW0CCjZWHx6hGKLwba4dmBWUyRvVaCgUB9vQ2WBY+Du6SpoImitN7zhoRodsnpUbROZ4MepB1MsA==
; ( ECDSAP256SHA256 )
DS = strangeworld.net. IN DS 556 13 1
5b308fe4fc09b72322c2e49002d70e1dcfca97ca ; ( SHA1 digest )
DS = strangeworld.net. IN DS 556 13 2
d939dbca936f22f9387ed9ec441731b87ba660193db6a83005cbd9f1fefe033f ; ( SHA256
digest )
DS = strangeworld.net. IN DS 556 13 4
1a00fd39df432da09f04c6b51d902cc9d3fe1afffd769a56bf0a5af39d27738203ad23b78ceb0aa686b5a15c0185d17a
; ( SHA-384 digest )
pdnsutil list-zone strangeworld.net
Nov 22 13:52:18 [bindbackend] Done parsing domains, 0 rejected, 0 new, 0
removed
$ORIGIN .
strangeworld.net 3600 IN A xx.xxx.xx.xxx
strangeworld.net 3600 IN MX 25 mail.strangeworld.net.
strangeworld.net 3600 IN NS ns1.zzzzzz.com.
strangeworld.net 3600 IN NS ns2.zzzzzz.com.
strangeworld.net 3600 IN SOA
a.misconfigured.powerdns.server hostmaster.strangeworld.net 7 10800 3600
604800 3600
www.strangeworld.net 3600 IN A xx.xxx.xx.xxy
Then, checking sqlite on my secondaries servers I get
sqlite> select * from domainmetadata;
id domain_id kind content
---------- ---------- ---------------- ----------
2 4 PRESIGNED 1
sqlite> select name,type,content from records where domain_id=4;
name type content
---------------- ----------
------------------------------------------------------------------------------------
strangeworld.net SOA a.misconfigured.powerdns.server
hostmaster.strangeworld.net 7 10800 3600 604800 3600
strangeworld.net RRSIG SOA 13 2 3600 20211202000000 20211111000000
556 strangeworld.net Nin87WOJ4qb68JYcP2g
strangeworld.net DNSKEY 257 3 13
I4KX7NsPuLfW0CCjZWHx6hGKLwba4dmBWUyRvVaCgUB9vQ2WBY+Du6SpoImitN7zhoRodsnpUbR
strangeworld.net RRSIG DNSKEY 13 2 3600 20211202000000
20211111000000 556 strangeworld.net VPz+sMQdo4uw8Fyo
strangeworld.net NS ns1.zzzzzz.com
strangeworld.net NS ns2.zzzzzz.com
strangeworld.net RRSIG NS 13 2 3600 20211202000000 20211111000000
556 strangeworld.net B3Y3L5ovSYjXhowC7gwY
strangeworld.net A xx.xxx.xx.xxx
strangeworld.net RRSIG A 13 2 3600 20211202000000 20211111000000
556 strangeworld.net HQbqF7/qUthhVn/cy8GkU
strangeworld.net MX mail.strangeworld.net
strangeworld.net RRSIG MX 13 2 3600 20211202000000 20211111000000
556 strangeworld.net IacMcLe4aBaV54/YStsc
www.strangeworld A xx.xxx.xx.xxy
And running 'show-zone' and 'list-zone' I get
pdnsutil show-zone strangeworld.net
Nov 22 14:07:22 [bindbackend] Done parsing domains, 0 rejected, 0 new, 0
removed
This is a Slave zone
Master: 10.200.12.164:53
Last time we got update from master: Mon 2021-11-22 12:00:04
SOA serial in database: 7
Refresh interval: 10800 seconds
Metadata items:
PRESIGNED 1
Zone is presigned
Zone has NSEC semantics
keys:
KSK, tag = 556, algo = 13, bits = 256
DNSKEY = strangeworld.net. IN DNSKEY 257 3 13
I4KX7NsPuLfW0CCjZWHx6hGKLwba4dmBWUyRvVaCgUB9vQ2WBY+Du6SpoImitN7zhoRodsnpUbROZ4MepB1MsA==;
( ECDSAP256SHA256 )
DS = strangeworld.net. IN DS 556 13 1
5b308fe4fc09b72322c2e49002d70e1dcfca97ca ; ( SHA1 digest )
DS = strangeworld.net. IN DS 556 13 2
d939dbca936f22f9387ed9ec441731b87ba660193db6a83005cbd9f1fefe033f ; ( SHA256
digest )
DS = strangeworld.net. IN DS 556 13 4
1a00fd39df432da09f04c6b51d902cc9d3fe1afffd769a56bf0a5af39d27738203ad23b78ceb0aa686b5a15c0185d17a
; ( SHA-384 digest )
pdnsutil list-zone strangeworld.net
Nov 22 14:07:56 [bindbackend] Done parsing domains, 0 rejected, 0 new, 0
removed
$ORIGIN .
strangeworld.net 3600 IN A xx.xxx.xx.xxx
strangeworld.net 3600 IN DNSKEY 257 3 13
I4KX7NsPuLfW0CCjZWHx6hGKLwba4dmBWUyRvVaCgUB9vQ2WBY+Du6SpoImitN7zhoRodsnpUbROZ4MepB1MsA==
strangeworld.net 3600 IN MX 25 mail.strangeworld.net.
strangeworld.net 3600 IN NS ns1.zzzzzz.com.
strangeworld.net 3600 IN NS ns2.zzzzzz.com.
strangeworld.net 3600 IN RRSIG SOA 13 2 3600 20211202000000 20211111000000
556 strangeworld.net
Nin87WOJ4qb68JYcP2gay3NdoKlLZZn5Q9wuv1fBqjd3CesQJxl+K7fjAgwynOBVQdZjLDFRWgKsq9te0J59mw==
strangeworld.net 3600 IN RRSIG DNSKEY 13 2 3600 20211202000000
20211111000000 556 strangeworld.net
VPz+sMQdo4uw8Fyomz7kWR6PAMiVvAjQMcRHadr+foARMptGuCIRmgBvsr/hi8869HiS+NwtvymLNI4baoJmVg==
strangeworld.net 3600 IN RRSIG NS 13 2 3600 20211202000000 20211111000000
556 strangeworld.net
B3Y3L5ovSYjXhowC7gwYUOUb4EJBiF8MmG/igJK7CF57IWRqTWXYZRuWjSPGeUCQU9HESz2e+/B0fyPSlV3Iag==
strangeworld.net 3600 IN RRSIG A 13 2 3600 20211202000000 20211111000000
556 strangeworld.net
HQbqF7/qUthhVn/cy8GkUI/ztbBUSDsMKarQcSE6M22vd1IxdosVB5x4RUNc+MtfPbEjpSUWLM8rdOG9AOx1jA==
strangeworld.net 3600 IN RRSIG MX 13 2 3600 20211202000000 20211111000000
556 strangeworld.net
IacMcLe4aBaV54/YStscUjg6FMQ8Jhf0LjIydBYqErMLrte/g4x/l1l6eyxnJpCJrTobu5h94kWWq+CR94sJdw==
strangeworld.net 3600 IN RRSIG NSEC 13 2 3600 20211202000000
20211111000000 556 strangeworld.net
zCsAG7/qCpwzH4P+mW52tPyyjR3OHRuTxY5F93BrF2RzVbWtJuQR2HT1d2zi6kChrzEws1Y2Y9M3l11b1oAtxw==
strangeworld.net 3600 IN SOA a.misconfigured.powerdns.server
hostmaster.strangeworld.net 7 10800 3600 604800 3600
www.strangeworld.net 3600 IN A xx.xxx.xx.xxx
www.strangeworld.net 3600 IN RRSIG A 13 3 3600 20211202000000
20211111000000 556 strangeworld.net
HfO9WvFd7hmziVxclDzX8T5ANnK5uq718nC+AYpQaR6nnKi1DB/4pTpggVTyZLXZzoUUj+eIQqCOuQUqX8nGDg==
www.strangeworld.net 3600 IN RRSIG NSEC 13 3 3600 20211202000000
20211111000000 556 strangeworld.net
C8BFzn+qEu7qxrLPGsUZRcokogvcaOtzPDlRxPREDHg233MYNg2sjXzvKBmKjsZOS+gn6kT1mbEtq4AiLkprVQ==
My question is: Why RRSIG registers are missing on my primary server?
Could someone help me?
Regards
Alexander Varejão
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20211122/b449185a/attachment.htm>
More information about the Pdns-users
mailing list