[Pdns-users] Question about DNSSEC + ALIAS (cname at the apex hack)

Mon May 30 20:09:43 UTC 2022

Created a domain called "aliastest.ca".

Set the options recursive= and expand-alias= as prescribed.

All works...

Used "pdnsutil secure-zone aliastest.ca"...and it signed the zone...all 
easier than I expected, so yay!

However...when I query for records under the zone...

# dig @localhost A www.aliastest.ca. +dnssec +short
4.4.4.4
A 13 3 3600 20220609000000 20220519000000 30598 aliastest.ca. 
sIhw7mNWncSfshFAf5hXtblduAFy1bFyhR32mYedzj4br7WWG8angHMj 
SnOqnU7jJzW1u6INtskuwMuNbR+4WQ==

I see NSEC records...great!

# dig @localhost A aliastest.ca. +dnssec +short
151.101.125.67

I don't see NSEC records...why?

I somewhat assumed that PowerDNS would be signing the recursive output 
from the ALIAS target...is this some other option I don't know about?

> select * from domains where name="aliastest.ca";
+---------+--------------+--------+------------+--------+-----------------+---------+
| id      | name         | master | last_check | type   | notified_serial 
| account |
+---------+--------------+--------+------------+--------+-----------------+---------+
| 4000003 | aliastest.ca | NULL   |       NULL | NATIVE |            NULL 
| NULL    |
+---------+--------------+--------+------------+--------+-----------------+---------+

> select * from records where domain_id="4000003";
+----------+-----------+--------------------+-------+-------------------------------------------------------------------------+------+------+-------------+----------+-----------+------+
| id       | domain_id | name               | type  | content 
| ttl  | prio | change_date | disabled | ordername | auth |
+----------+-----------+--------------------+-------+-------------------------------------------------------------------------+------+------+-------------+----------+-----------+------+
| 48000014 |   4000003 | aliastest.ca       | SOA   | ns01.aliastest.ca 
admin-dns.aliastest.ca 2022030101 1800 900 604800 300 | 3600 |    0 | 
NULL |        0 |           |    1 |
| 48000015 |   4000003 | aliastest.ca       | NS    | ns01.aliastest.ca 
| 3600 |    0 |        NULL |        0 |           |    1 |
| 48000016 |   4000003 | aliastest.ca       | NS    | ns02.aliastest.ca 
| 3600 |    0 |        NULL |        0 |           |    1 |
| 48000017 |   4000003 | aliastest.ca       | MX    | mail1.aliastest.ca 
| 3600 |   10 |        NULL |        0 |           |    1 |
| 48000018 |   4000003 | aliastest.ca       | MX    | mail2.aliastest.ca 
| 3600 |   20 |        NULL |        0 |           |    1 |
| 48000019 |   4000003 | aliastest.ca       | MX    | mail3.aliastest.ca 
| 3600 |   30 |        NULL |        0 |           |    1 |
| 48000020 |   4000003 | ns01.aliastest.ca  | A     | 10.6.20.71 
| 3600 |    0 |        NULL |        0 | ns01      |    1 |
| 48000021 |   4000003 | ns02.aliastest.ca  | A     | 10.6.20.72 
| 3600 |    0 |        NULL |        0 | ns02      |    1 |
| 48000022 |   4000003 | mail1.aliastest.ca | A     | 1.1.1.1 
| 3600 |    0 |        NULL |        0 | mail1     |    1 |
| 48000023 |   4000003 | mail2.aliastest.ca | A     | 2.2.2.2 
| 3600 |    0 |        NULL |        0 | mail2     |    1 |
| 48000024 |   4000003 | mail3.aliastest.ca | A     | 3.3.3.3 
| 3600 |    0 |        NULL |        0 | mail3     |    1 |
| 48000025 |   4000003 | www.aliastest.ca   | A     | 4.4.4.4 
| 3600 |    0 |        NULL |        0 | www       |    1 |
| 48000026 |   4000003 | aliastest.ca       | ALIAS | www.cnn.com 
| 3600 |    0 |        NULL |        0 |           |    1 |
+----------+-----------+--------------------+-------+-------------------------------------------------------------------------+------+------+-------------+----------+-----------+------+

Thanks all,
-jake