Hi Folks, In addition to the findings I communicated to this list in "DNSsec DS trouble in single server TLD setup" on Thu Apr 21, I tried to delegate a subdomain with DNSsec on PowerDNS Server (pdns-3.0-rc2.20110419.2176).
If both parent domain and child domain are hosted within the same instance of PowerDNS (with mysql backend), I fail because PowerDNS refuses to serve me the DS of the subzone. I do not know if this is the normal way to go for this sort of thing, the alternative is to put the child RR's into the parent zone. This works fine, but putting it all into the parent zone becomes very messy very fast. As an ISP we have subzones with 40,000+ RR's, I'm not especially looking forward to bundling those into 200,000+ RR zones. Also, if you put al records in the parent zone, you will have a harder time delegating reponsibilities for sub zones to e.g. another office. You can in this scenario make two extra servers of course, but then you have to take care of 4 servers. Here's what I did: domain_id 5 = parent (pre-exists) domain_id 6 = child Create subdomain ========================================================================= INSERT INTO `powerdns`.`domains` ( `id` , `name` , `master` , `last_check` , `type` , `notified_serial` , `account` ) VALUES ( NULL , 'sales.securename.nl', NULL , NULL , 'NATIVE', NULL , NULL ) NS of subdomain in child zone ========================================================================= INSERT INTO `powerdns`.`records` ( `id` , `domain_id` , `name` , `type` , `content` , `ttl` , `prio` , `change_date` , `ordername` , `auth` ) VALUES ( NULL , '6', 'sales.securename.nl', 'NS', 'dnssec-auth-bis.mer-nm.internl.net', '600', '0', NULL , NULL , '1' ); SOA of subdomain in child zone ========================================================================= INSERT INTO `powerdns`.`records` ( `id` , `domain_id` , `name` , `type` , `content` , `ttl` , `prio` , `change_date` , `ordername` , `auth` ) VALUES ( NULL , '6', 'sales.securename.nl', 'SOA', 'dnssec-auth-bis.mer-nm.internl.net blah.internl.net 2011042600 7200 3600 604800 3600', '600', '0', NULL , NULL , '1' ); MX of subdomain in child zone ========================================================================= INSERT INTO `powerdns`.`records` ( `id` , `domain_id` , `name` , `type` , `content` , `ttl` , `prio` , `change_date` , `ordername` , `auth` ) VALUES ( NULL , '6', 'sales.securename.nl', 'MX', 'mail.sales.securename.nl', '600', '10', NULL , NULL , '1' ); A of MX of subdomain in child zone ========================================================================= INSERT INTO `powerdns`.`records` ( `id` , `domain_id` , `name` , `type` , `content` , `ttl` , `prio` , `change_date` , `ordername` , `auth` ) VALUES ( NULL , '6', 'mail.sales.securename.nl', 'A', '1.2.3.4', '600', '0', NULL , NULL , '1' ); Check =========================================================================== dig +multiline ns sales.securename.nl @dnssec-auth-bis.mer-nm.internl.net -> works dig +multiline soa sales.securename.nl @dnssec-auth-bis.mer-nm.internl.net -> works DNSsec-ify =========================================================================== pdnssec secure-zone sales.securename.nl pdnssec set-nsec3 sales.securename.nl pdnssec rectify-zone sales.securename.nl pdnssec check-zone sales.securename.nl pdnssec show-zone sales.securename.nl DS = sales.securename.nl IN DS 42385 8 2 ec12ab2e160eab1681ea3031b2d72b04d61a58cc914ecb68a3a39a17d5eb0eb6 INSERT INTO `powerdns`.`records` ( `id` , `domain_id` , `name` , `type` , `content` , `ttl` , `prio` , `change_date` , `ordername` , `auth` ) VALUES ( NULL , '5', 'sales.securename.nl', 'DS', '42385 8 2 ec12ab2e160eab1681ea3031b2d72b04d61a58cc914ecb68a3a39a17d5eb0eb6', '600', '0', NULL , NULL , '1' ); pdnssec rectify-zone sales.securename.nl pdnssec rectify-zone securename.nl /etc/init.d/pdns restart dig +multiline +dnssec dnskey sales.securename.nl @dnssec-auth-bis.mer-nm.internl.net -> works dig +multiline +dnssec soa sales.securename.nl @dnssec-auth-bis.mer-nm.internl.net -> works dig +multiline +dnssec ns sales.securename.nl @dnssec-auth-bis.mer-nm.internl.net -> works dig +multiline +dnssec ds sales.securename.nl @dnssec-auth-bis.mer-nm.internl.net -> Fails, only NSEC3 output Which means that validation fails. Any remarks or suggestions? BTW, this setup no longer exists, but I can re-create it if needed. Kind regards, -- Niek ---------------------------------------------------------------- _______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
