Hi there. I am testing powerdnssec with one of my domains spam.co.nz
I have 2 PowerDNSSEC servers set up one as master and one as slave. I have used the normal powerdns for a long time with no problems Both set up using gmysql backends (one on each) ,adding the data into the master mysql database and they replicate via zone transfers all ok into the slave mysql database; I set up as in the instructions for the domain Spam.co.nz Master.. pdnssec secure-zone spam.co.nz And gmysql-host=127.0.0.1 gmysql-user=root gmysql-password= gmysql-dbname=pdns gmysql-dnssec master=yes Slave pdnssec set-presigned spam.co.nz (set the domain to be presigned as its coming from ns1) gmysql-host=127.0.0.1 gmysql-user=root gmysql-password= gmysql-dbname=pdns gmysql-dnssec' slave=yes I can update 114.23.33.130 and it updates on 114.23.33.131 Testing.. dig +dnssec T A spam.co.nz @114.23.33.130 gives spam.co.nz. 86400 IN A 114.23.33.130 spam.co.nz. 86400 IN RRSIG A 8 3 86400 20110616000000 20110602000000 45201 spam.co.nz. G8dEGkabnpInz47441Q6nUZkil0fBOjzll1jTRC8qGLx17baG7b30stf aNcRlVvWncvRWvjzMpWocKfUQJuGC5+F7rPLDVK/rRO4L7DATjEZ95eC tw2YfKEZHivKZbOlAEHKncd6A/VV4IOHRpl1ebx6/yQ8Vr36tojI06RW k9k= dig +dnssec T A spam.co.nz @114.23.33.130 spam.co.nz. 86400 IN RRSIG A 8 3 86400 20110616000000 20110602000000 45201 spam.co.nz. G8dEGkabnpInz47441Q6nUZkil0fBOjzll1jTRC8qGLx17baG7b30stf aNcRlVvWncvRWvjzMpWocKfUQJuGC5+F7rPLDVK/rRO4L7DATjEZ95eC tw2YfKEZHivKZbOlAEHKncd6A/VV4IOHRpl1ebx6/yQ8Vr36tojI06RW k9k= spam.co.nz. 86400 IN A 114.23.33.130 So I extract the keys .. pdnssec export-zone-dnskeys spam.co.nz 1 | grep DNSKEY > trustedkey And test on 114.23.33.130 dig +dnssec +sigchase +trusted-key=./trustedkey t A spam.co.nz @114.23.33.130 And.. .. .. ;; WE HAVE MATERIAL, WE NOW DO VALIDATION ;; VERIFYING A RRset for spam.co.nz. with DNSKEY:45201: success ;; OK We found DNSKEY (or more) to validate the RRset ;; Ok, find a Trusted Key in the DNSKEY RRset: 22621 ;; VERIFYING DNSKEY RRset for spam.co.nz. with DNSKEY:22621: success ;; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS Works.. But dig +dnssec +sigchase +trusted-key=./trustedkey t A spam.co.nz @114.23.33.131 ;; WE HAVE MATERIAL, WE NOW DO VALIDATION ;; VERIFYING A RRset for spam.co.nz. with DNSKEY:45201: success ;; OK We found DNSKEY (or more) to validate the RRset ;; Now, we are going to validate this DNSKEY by the DS ;; the DNSKEY isn't trusted-key and there isn't DS to validate the DNSKEY: FAILED Can someone help why the slave is failing I cannot find any documentation on slaves and powerdnssec and how it should be done properly.. Thanks Craig
_______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
