[Pdns-users] RRSIG validity period
Klaus Darilion
klaus.darilion at nic.at
Wed Mar 30 08:04:20 UTC 2022
PowerDNS signature validity is always 3 weeks. Start is the second last Thursday 00:00 UTC, end is the next but one Thursday 00:00.
Start End
Thursday Thursday Today Thursday Thursday
00:00 00:00 00:00 00:00
Signatures are calculated "on the fly" for every response sent out. To have more or less "static" signatures the above algorithm is used. Thursday 00:00 is the beginning of the Linux epoch. Hence, every "epoch-week" the signature lifetimes are changed.
regards
Klaus
Von: Pdns-users <pdns-users-bounces at mailman.powerdns.com> Im Auftrag von Alexander Varejão via Pdns-users
Gesendet: Dienstag, 29. März 2022 22:33
An: pdns-users at mailman.powerdns.com
Betreff: [Pdns-users] RRSIG validity period
Hi Dears,
Well, as I said before, I'm new to PowerDNS and I have some doubts about how it works.
In my tests I'm using three virtual machines:
- One authoritative with mysql backend
- Two Secundaries with sqlite3 backend
I'm confused about validity period of RRSIGs, could someone help me about it?
So, my primary Server has the following configuration:
/etc/powerdns/pdns.conf
-----------------------------------------------
allow-axfr-ips=ONE SECONDARY IP HERE,OTHER SECONDARY IP HERE
disable-axfr=no
master=yes
include-dir=/etc/powerdns/pdns.d
launch=
security-poll-suffix=
setgid=pdns
setuid=pdns
-----------------------------------------------
/etc/powerdns/pdns.d/pdns.local.gmysql.conf
-----------------------------------------------
# MySQL Configuration
#
# Launch gmysql backend
launch+=gmysql
# gmysql parameters
gmysql-host="PRIMARY IP"
gmysql-port=3306
gmysql-dbname=powerdns
gmysql-user=powerdns
gmysql-password=PASSWORD HERE
gmysql-dnssec=yes
# gmysql-socket=
-----------------------------------------------
And my Secundary Servers have the following configuration
/etc/powerdns/pdns.conf
-----------------------------------------------
slave=yes
slave-cycle-interval=60
include-dir=/etc/powerdns/pdns.d
launch=
security-poll-suffix=
setgid=pdns
setuid=pdns
-----------------------------------------------
/etc/powerdns/pdns.d/pdns.local.gsqlite.conf
-----------------------------------------------
# SQLITE3 Configuration
#
# Launch gmysql backend
launch+=gsqlite3
# gsqlite3 parameters
gsqlite3-database=/var/lib/pdns/powerdns.db
setuid=pdns
setgid=pdns
gsqlite3-dnssec=yes
-----------------------------------------------
I created a fake zone "strangeword.com<http://strangeword.com>" and I sign it. On my primary server I ran the following commands
pdnsutil secure-zone strangeworld.net<http://strangeworld.net>
pdnsutil increase-serial strangeworld.net<http://strangeworld.net>
pdns_control notify strangeworld.net<http://strangeworld.net>
And running 'pdnsutil show-zone' it seems ok to me
pdnsutil show-zone strangeworld.net<http://strangeworld.net>
Mar 29 20:03:57 [bindbackend] Done parsing domains, 0 rejected, 0 new, 0 removed
This is a Native zone
Metadata items: None
Zone has NSEC semantics
keys:
ID = 3 (CSK), flags = 257, tag = 14784, algo = 13, bits = 256 Active Published ( ECDSAP256SHA256 )
CSK DNSKEY = strangeworld.net<http://strangeworld.net>. IN DNSKEY 257 3 13 SnJ1JrZ7wiJ8tQKxEWMlAHfVk6lB90bx8G1J8/t+hQ5iPcdssqRj7YJ7IaXVysyaOCPjQZcNZSCIxSMqqQUFEA== ; ( ECDSAP256SHA256 )
DS = strangeworld.net<http://strangeworld.net>. IN DS 14784 13 1 64cbfe2b545ed890a4c2b22a22c4ba76e2b211be ; ( SHA1 digest )
DS = strangeworld.net<http://strangeworld.net>. IN DS 14784 13 2 edf9017ee79e36e0ecf144e63ddb8202b00e6fda58f94244a6def11f63ebcfa7 ; ( SHA256 digest )
DS = strangeworld.net<http://strangeworld.net>. IN DS 14784 13 4 60e7511e17f9841e4bdfc263140d9b800df09b08380f33797fe1213323a71666df5d630bb63eb2ce8532eadf86f52e59 ; ( SHA-384 digest )
A few weeks later I created new fake zones and running 'pdnsutil show-zone' it seems ok to me too.
pdnsutil show-zone anotherlife.net<http://anotherlife.net>
Mar 29 20:06:23 [bindbackend] Done parsing domains, 0 rejected, 0 new, 0 removed
This is a Native zone
Metadata items: None
Zone has NSEC semantics
keys:
ID = 15 (CSK), flags = 257, tag = 54620, algo = 13, bits = 256 Active Published ( ECDSAP256SHA256 )
CSK DNSKEY = anotherlife.net<http://anotherlife.net>. IN DNSKEY 257 3 13 fo66pKO4AgAWhkJ7nAo89ASFTlIedody5Hq/RvG9ntjEIKLRxg/DlTYcD0ZzzR5U5fC0YjQKq2jJK3xtlRp2tA== ; ( ECDSAP256SHA256 )
DS = anotherlife.net<http://anotherlife.net>. IN DS 54620 13 1 34a8867caea8853a71567e03cf639dea0e1b7d49 ; ( SHA1 digest )
DS = anotherlife.net<http://anotherlife.net>. IN DS 54620 13 2 5b7f150a199a6d29c64a0a27822a99bc1caa6d051ac62a42ccb022aad919058b ; ( SHA256 digest )
DS = anotherlife.net<http://anotherlife.net>. IN DS 54620 13 4 03d435af34a1508735234b54a1125aaea7e35d16570e44a2d0ab41255d02d8649d64e750ef6deaac4a698426f8f3ccef ; ( SHA-384 digest )
However, when I test my zones with 'dig command' I receive a unexpect result: all zones have the same validity period
dig @xx.xxx.xx.xx strangeworld.net<http://strangeworld.net> +dnssec +short
10.200.12.151
A 13 2 3600 20220407000000 20220317000000 14784 strangeworld.net<http://strangeworld.net>. PWeyW+0vHEMIbB3syYeLAhpE0gxUY9KE9G8Ux3vtr3vpuiKWsUFfZ6cR cBZ6rXWqZxvgnKjSxvMA05S3ZMMRdA==
dig @xx.xxx.xx.xx anotherlife.net<http://anotherlife.net> +dnssec +short
10.200.12.151
A 13 2 3600 20220407000000 20220317000000 54620 anotherlife.net<http://anotherlife.net>. ffWofGgMfkqsKzXTwiFnu40wBqn6UJmDrCaqxsEx4RHI7/3wU4xgScSQ 2gJxS49U8xrz2QVjDn4noIzy3lqNPA==
How could I configure my Primary Servers to sign zones with different validity periods ?
I tried set on my config file the options:
default-soa-edit=INCREMENT-WEEKS
default-soa-edit-signed=INCREMENT-WEEKS
I tried other values too, but nothing seems to work
Well, how could I solve this issue?
And please sorry my poor knowledge about the powerdns and about english language too rsrs
Regards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20220330/9ac1e992/attachment-0001.htm>
More information about the Pdns-users
mailing list