[Pdns-users] Question about DNSSEC + ALIAS (cname at the apex hack)
Jake
jake at elsif.net
Mon May 30 20:38:25 UTC 2022
Nevermind with this. Found my answer in the documentation.
"Starting with the PowerDNS Authoritative Server 4.0.0, DNSSEC ‘washing’
of ALIAS records is supported on AXFR (not on live-signing). Set
outgoing-axfr-expand-alias to ‘yes’ and enable DNSSEC for the zone on the
master. PowerDNS will sign the A/AAAA records during the AXFR."
...which I read as not supporting signing of ALIAS responses on live
queries, but only on outgoing xfr's.
Putting this note on list to help others though I'd imagine it's been
discussed before.
-jake
On Mon, 30 May 2022, Jake via Pdns-users wrote:
> Created a domain called "aliastest.ca".
>
> Set the options recursive= and expand-alias= as prescribed.
>
> All works...
>
> Used "pdnsutil secure-zone aliastest.ca"...and it signed the zone...all
> easier than I expected, so yay!
>
> However...when I query for records under the zone...
>
> # dig @localhost A www.aliastest.ca. +dnssec +short
> 4.4.4.4
> A 13 3 3600 20220609000000 20220519000000 30598 aliastest.ca.
> sIhw7mNWncSfshFAf5hXtblduAFy1bFyhR32mYedzj4br7WWG8angHMj
> SnOqnU7jJzW1u6INtskuwMuNbR+4WQ==
>
> I see NSEC records...great!
>
> # dig @localhost A aliastest.ca. +dnssec +short
> 151.101.125.67
>
> I don't see NSEC records...why?
>
> I somewhat assumed that PowerDNS would be signing the recursive output from
> the ALIAS target...is this some other option I don't know about?
>
>> select * from domains where name="aliastest.ca";
> +---------+--------------+--------+------------+--------+-----------------+---------+
> | id | name | master | last_check | type | notified_serial |
> account |
> +---------+--------------+--------+------------+--------+-----------------+---------+
> | 4000003 | aliastest.ca | NULL | NULL | NATIVE | NULL |
> NULL |
> +---------+--------------+--------+------------+--------+-----------------+---------+
>
>> select * from records where domain_id="4000003";
> +----------+-----------+--------------------+-------+-------------------------------------------------------------------------+------+------+-------------+----------+-----------+------+
> | id | domain_id | name | type | content | ttl | prio |
> change_date | disabled | ordername | auth |
> +----------+-----------+--------------------+-------+-------------------------------------------------------------------------+------+------+-------------+----------+-----------+------+
> | 48000014 | 4000003 | aliastest.ca | SOA | ns01.aliastest.ca
> admin-dns.aliastest.ca 2022030101 1800 900 604800 300 | 3600 | 0 | NULL |
> 0 | | 1 |
> | 48000015 | 4000003 | aliastest.ca | NS | ns01.aliastest.ca |
> 3600 | 0 | NULL | 0 | | 1 |
> | 48000016 | 4000003 | aliastest.ca | NS | ns02.aliastest.ca |
> 3600 | 0 | NULL | 0 | | 1 |
> | 48000017 | 4000003 | aliastest.ca | MX | mail1.aliastest.ca |
> 3600 | 10 | NULL | 0 | | 1 |
> | 48000018 | 4000003 | aliastest.ca | MX | mail2.aliastest.ca |
> 3600 | 20 | NULL | 0 | | 1 |
> | 48000019 | 4000003 | aliastest.ca | MX | mail3.aliastest.ca |
> 3600 | 30 | NULL | 0 | | 1 |
> | 48000020 | 4000003 | ns01.aliastest.ca | A | 10.6.20.71 | 3600 |
> 0 | NULL | 0 | ns01 | 1 |
> | 48000021 | 4000003 | ns02.aliastest.ca | A | 10.6.20.72 | 3600 |
> 0 | NULL | 0 | ns02 | 1 |
> | 48000022 | 4000003 | mail1.aliastest.ca | A | 1.1.1.1 | 3600 | 0 |
> NULL | 0 | mail1 | 1 |
> | 48000023 | 4000003 | mail2.aliastest.ca | A | 2.2.2.2 | 3600 | 0 |
> NULL | 0 | mail2 | 1 |
> | 48000024 | 4000003 | mail3.aliastest.ca | A | 3.3.3.3 | 3600 | 0 |
> NULL | 0 | mail3 | 1 |
> | 48000025 | 4000003 | www.aliastest.ca | A | 4.4.4.4 | 3600 | 0 |
> NULL | 0 | www | 1 |
> | 48000026 | 4000003 | aliastest.ca | ALIAS | www.cnn.com | 3600 |
> 0 | NULL | 0 | | 1 |
> +----------+-----------+--------------------+-------+-------------------------------------------------------------------------+------+------+-------------+----------+-----------+------+
>
> Thanks all,
> -jake
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>
More information about the Pdns-users
mailing list