[Pdns-users] RRSIG validity period
Alexander Varejão
frater.alexander at gmail.com
Tue Mar 29 20:33:04 UTC 2022
Hi Dears,
Well, as I said before, I'm new to PowerDNS and I have some doubts about
how it works.
In my tests I'm using three virtual machines:
- One authoritative with mysql backend
- Two Secundaries with sqlite3 backend
I'm confused about validity period of RRSIGs, could someone help me about
it?
So, my primary Server has the following configuration:
/etc/powerdns/pdns.conf
-----------------------------------------------
allow-axfr-ips=ONE SECONDARY IP HERE,OTHER SECONDARY IP HERE
disable-axfr=no
master=yes
include-dir=/etc/powerdns/pdns.d
launch=
security-poll-suffix=
setgid=pdns
setuid=pdns
-----------------------------------------------
/etc/powerdns/pdns.d/pdns.local.gmysql.conf
-----------------------------------------------
# MySQL Configuration
#
# Launch gmysql backend
launch+=gmysql
# gmysql parameters
gmysql-host="PRIMARY IP"
gmysql-port=3306
gmysql-dbname=powerdns
gmysql-user=powerdns
gmysql-password=PASSWORD HERE
gmysql-dnssec=yes
# gmysql-socket=
-----------------------------------------------
And my Secundary Servers have the following configuration
/etc/powerdns/pdns.conf
-----------------------------------------------
slave=yes
slave-cycle-interval=60
include-dir=/etc/powerdns/pdns.d
launch=
security-poll-suffix=
setgid=pdns
setuid=pdns
-----------------------------------------------
/etc/powerdns/pdns.d/pdns.local.gsqlite.conf
-----------------------------------------------
# SQLITE3 Configuration
#
# Launch gmysql backend
launch+=gsqlite3
# gsqlite3 parameters
gsqlite3-database=/var/lib/pdns/powerdns.db
setuid=pdns
setgid=pdns
gsqlite3-dnssec=yes
-----------------------------------------------
I created a fake zone "strangeword.com" and I sign it. On my primary server
I ran the following commands
pdnsutil secure-zone strangeworld.net
pdnsutil increase-serial strangeworld.net
pdns_control notify strangeworld.net
And running 'pdnsutil show-zone' it seems ok to me
pdnsutil show-zone strangeworld.net
Mar 29 20:03:57 [bindbackend] Done parsing domains, 0 rejected, 0 new, 0
removed
This is a Native zone
Metadata items: None
Zone has NSEC semantics
keys:
ID = 3 (CSK), flags = 257, tag = 14784, algo = 13, bits = 256 Active
Published ( ECDSAP256SHA256 )
CSK DNSKEY = strangeworld.net. IN DNSKEY 257 3 13
SnJ1JrZ7wiJ8tQKxEWMlAHfVk6lB90bx8G1J8/t+hQ5iPcdssqRj7YJ7IaXVysyaOCPjQZcNZSCIxSMqqQUFEA==
; ( ECDSAP256SHA256 )
DS = strangeworld.net. IN DS 14784 13 1
64cbfe2b545ed890a4c2b22a22c4ba76e2b211be ; ( SHA1 digest )
DS = strangeworld.net. IN DS 14784 13 2
edf9017ee79e36e0ecf144e63ddb8202b00e6fda58f94244a6def11f63ebcfa7 ; ( SHA256
digest )
DS = strangeworld.net. IN DS 14784 13 4
60e7511e17f9841e4bdfc263140d9b800df09b08380f33797fe1213323a71666df5d630bb63eb2ce8532eadf86f52e59
; ( SHA-384 digest )
A few weeks later I created new fake zones and running 'pdnsutil show-zone'
it seems ok to me too.
pdnsutil show-zone anotherlife.net
Mar 29 20:06:23 [bindbackend] Done parsing domains, 0 rejected, 0 new, 0
removed
This is a Native zone
Metadata items: None
Zone has NSEC semantics
keys:
ID = 15 (CSK), flags = 257, tag = 54620, algo = 13, bits = 256 Active
Published ( ECDSAP256SHA256 )
CSK DNSKEY = anotherlife.net. IN DNSKEY 257 3 13
fo66pKO4AgAWhkJ7nAo89ASFTlIedody5Hq/RvG9ntjEIKLRxg/DlTYcD0ZzzR5U5fC0YjQKq2jJK3xtlRp2tA==
; ( ECDSAP256SHA256 )
DS = anotherlife.net. IN DS 54620 13 1
34a8867caea8853a71567e03cf639dea0e1b7d49 ; ( SHA1 digest )
DS = anotherlife.net. IN DS 54620 13 2
5b7f150a199a6d29c64a0a27822a99bc1caa6d051ac62a42ccb022aad919058b ; ( SHA256
digest )
DS = anotherlife.net. IN DS 54620 13 4
03d435af34a1508735234b54a1125aaea7e35d16570e44a2d0ab41255d02d8649d64e750ef6deaac4a698426f8f3ccef
; ( SHA-384 digest )
However, when I test my zones with 'dig command' I receive a unexpect
result: all zones have the same validity period
dig @xx.xxx.xx.xx strangeworld.net +dnssec +short
10.200.12.151
A 13 2 3600 20220407000000 20220317000000 14784 strangeworld.net.
PWeyW+0vHEMIbB3syYeLAhpE0gxUY9KE9G8Ux3vtr3vpuiKWsUFfZ6cR
cBZ6rXWqZxvgnKjSxvMA05S3ZMMRdA==
dig @xx.xxx.xx.xx anotherlife.net +dnssec +short
10.200.12.151
A 13 2 3600 20220407000000 20220317000000 54620 anotherlife.net.
ffWofGgMfkqsKzXTwiFnu40wBqn6UJmDrCaqxsEx4RHI7/3wU4xgScSQ
2gJxS49U8xrz2QVjDn4noIzy3lqNPA==
How could I configure my Primary Servers to sign zones with different
validity periods ?
I tried set on my config file the options:
default-soa-edit=INCREMENT-WEEKS
default-soa-edit-signed=INCREMENT-WEEKS
I tried other values too, but nothing seems to work
Well, how could I solve this issue?
And please sorry my poor knowledge about the powerdns and about english
language too rsrs
Regards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20220329/cb765477/attachment.htm>
More information about the Pdns-users
mailing list