[Pdns-users] Question about DNSSEC + ALIAS (cname at the apex hack)

Klaus Darilion klaus.darilion at nic.at
Tue May 31 07:29:21 UTC 2022


https://github.com/PowerDNS/pdns/issues/10150

Von: Pdns-users <pdns-users-bounces at mailman.powerdns.com> Im Auftrag von Klaus Darilion via Pdns-users
Gesendet: Dienstag, 31. Mai 2022 06:35
An: jake at elsif.net; pdns-users at mailman.powerdns.com
Betreff: Re: [Pdns-users] Question about DNSSEC + ALIAS (cname at the apex hack)

Alias does not support dnssec. See issues on github. Klaus­


Gesendet über BlackBerry Work (www.blackberry.com<http://www.blackberry.com>)
________________________________
Von: Pdns-users <pdns-users-bounces at mailman.powerdns.com<mailto:pdns-users-bounces at mailman.powerdns.com>> im Namen von Jake via Pdns-users <pdns-users at mailman.powerdns.com<mailto:pdns-users at mailman.powerdns.com>>
Gesendet: 30.05.2022 22:10
An: pdns-users at mailman.powerdns.com<mailto:pdns-users at mailman.powerdns.com>
Betreff: [Pdns-users] Question about DNSSEC + ALIAS (cname at the apex hack)

Created a domain called "aliastest.ca".

Set the options recursive= and expand-alias= as prescribed.

All works...

Used "pdnsutil secure-zone aliastest.ca"...and it signed the zone...all
easier than I expected, so yay!

However...when I query for records under the zone...

# dig @localhost A www.aliastest.ca<http://www.aliastest.ca>. +dnssec +short
4.4.4.4
A 13 3 3600 20220609000000 20220519000000 30598 aliastest.ca.
sIhw7mNWncSfshFAf5hXtblduAFy1bFyhR32mYedzj4br7WWG8angHMj
SnOqnU7jJzW1u6INtskuwMuNbR+4WQ==

I see NSEC records...great!

# dig @localhost A aliastest.ca. +dnssec +short
151.101.125.67

I don't see NSEC records...why?

I somewhat assumed that PowerDNS would be signing the recursive output
from the ALIAS target...is this some other option I don't know about?

> select * from domains where name="aliastest.ca";
+---------+--------------+--------+------------+--------+-----------------+---------+
| id      | name         | master | last_check | type   | notified_serial
| account |
+---------+--------------+--------+------------+--------+-----------------+---------+
| 4000003 | aliastest.ca | NULL   |       NULL | NATIVE |            NULL
| NULL    |
+---------+--------------+--------+------------+--------+-----------------+---------+

> select * from records where domain_id="4000003";
+----------+-----------+--------------------+-------+-------------------------------------------------------------------------+------+------+-------------+----------+-----------+------+
| id       | domain_id | name               | type  | content
| ttl  | prio | change_date | disabled | ordername | auth |
+----------+-----------+--------------------+-------+-------------------------------------------------------------------------+------+------+-------------+----------+-----------+------+
| 48000014 |   4000003 | aliastest.ca       | SOA   | ns01.aliastest.ca
admin-dns.aliastest.ca 2022030101 1800 900 604800 300 | 3600 |    0 |
NULL |        0 |           |    1 |
| 48000015 |   4000003 | aliastest.ca       | NS    | ns01.aliastest.ca
| 3600 |    0 |        NULL |        0 |           |    1 |
| 48000016 |   4000003 | aliastest.ca       | NS    | ns02.aliastest.ca
| 3600 |    0 |        NULL |        0 |           |    1 |
| 48000017 |   4000003 | aliastest.ca       | MX    | mail1.aliastest.ca
| 3600 |   10 |        NULL |        0 |           |    1 |
| 48000018 |   4000003 | aliastest.ca       | MX    | mail2.aliastest.ca
| 3600 |   20 |        NULL |        0 |           |    1 |
| 48000019 |   4000003 | aliastest.ca       | MX    | mail3.aliastest.ca
| 3600 |   30 |        NULL |        0 |           |    1 |
| 48000020 |   4000003 | ns01.aliastest.ca  | A     | 10.6.20.71
| 3600 |    0 |        NULL |        0 | ns01      |    1 |
| 48000021 |   4000003 | ns02.aliastest.ca  | A     | 10.6.20.72
| 3600 |    0 |        NULL |        0 | ns02      |    1 |
| 48000022 |   4000003 | mail1.aliastest.ca | A     | 1.1.1.1
| 3600 |    0 |        NULL |        0 | mail1     |    1 |
| 48000023 |   4000003 | mail2.aliastest.ca | A     | 2.2.2.2
| 3600 |    0 |        NULL |        0 | mail2     |    1 |
| 48000024 |   4000003 | mail3.aliastest.ca | A     | 3.3.3.3
| 3600 |    0 |        NULL |        0 | mail3     |    1 |
| 48000025 |   4000003 | www.aliastest.ca<http://www.aliastest.ca>   | A     | 4.4.4.4
| 3600 |    0 |        NULL |        0 | www       |    1 |
| 48000026 |   4000003 | aliastest.ca       | ALIAS | www.cnn.com<http://www.cnn.com>
| 3600 |    0 |        NULL |        0 |           |    1 |
+----------+-----------+--------------------+-------+-------------------------------------------------------------------------+------+------+-------------+----------+-----------+------+

Thanks all,
-jake
_______________________________________________
Pdns-users mailing list
Pdns-users at mailman.powerdns.com<mailto:Pdns-users at mailman.powerdns.com>
https://mailman.powerdns.com/mailman/listinfo/pdns-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20220531/d5e4698e/attachment-0001.htm>


More information about the Pdns-users mailing list