On Wed, 8 Jun 2011 23:28:11 +0200, Christof Meerwald wrote: > It looks like when using TSIG PowerDNS doesn't return any RRSIG > records for a SOA request. This then results in the RRSIG mismatch > message.
Ok, I have done some debugging now and this is why: PowerDNS expects the OPT RR to be the last record in the additional section, but when using TSIG, the TSIG RR is the last record (as this is required by the TSIG spec). This means that PowerDNS doesn't see the DNSSEC bit in the request and therefore doesn't return a RRSIG record in the response. (I am assuming PowerDNS generates the SOA request correctly - I have only confirmed this behaviour using dig). Christof -- http://cmeerw.org sip:cmeerw at cmeerw.org mailto:cmeerw at cmeerw.org xmpp:cmeerw at cmeerw.org _______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
