[Pdns-users] DNSSEC: How to add TA for . to recursor of self hosted . zone
Jan Huijsmans
bofh at koffie.nu
Mon Mar 4 16:01:12 UTC 2024
Hello,
I'm tryting to setup a DNSSEC lab environment with an isolated DNS set.
Service setup:
Servers
- hidden master root server (pdns-auth 4.6.3-1)
- queriable slave root servers (pdns-auth 4.6.3-1 & 4.8.4-1)
- master + slave domain server (pdns-auth 4.8.4-1)
- recursors on 4.9.2-1
pdns.conf of the auth instances include a .conf with
gmysql=dnssec=yes
recursor.conf of the recursors include a lua-config file with clearTA() and either either the addTA function with '.' and the DS content or reedTrustAnchorsFromFile that points to a file with the output of
pdnsutil export-zone-ds .
All zones are, from lowest to highest zone, signed via the pdns secure-zone command and the DS records are exported via pdnsutil export-zone-ds and that output is added to the higher zone up to . .
When I use dig to request records directly from the authoritive instances, I get answerd with RRSIG responces I expect. However, when I try via the recursor, the . zone is not trusted.
The error the pdns recursor logs shows on a restart is:
msg="Failed to update . records" error="Got Bogus validation result for .|NS" subsystem="housekeeping" level="0" prio="Error" tid="0" ts="1709563954.159" exception="PDNSException"
When I request the DNSKEY from the . zone and add that to the root.key file (checkes on a debian system what's in /usr/share/dns/root.key to find the syntax) I read TA from via lua-config, then the result is the same.
Documentation used:
- https://doc.powerdns.com/recursor/dnssec.html
- https://doc.powerdns.com/recursor/lua-config/dnssec.html#addTA
- https://doc.powerdns.com/authoritative/dnssec/index.html
- https://doc.powerdns.com/authoritative/manpages/pdnsutil.1.html
and what I could find with DDG.
dnssec is set to process in the recursor, but it refuses to answer when I use dig, nelookup works. (so applications have no impact by this issue)
It looks to me I'm missing something simple in establishing the initial trust of the . zone within the recursor, the rest looks like it works as it should.
Any help is appreciated.
Regards,
Jan Huijsmans
More information about the Pdns-users
mailing list