On Feb 19, 2012, at 3:26, bert hubert wrote: >> I imported DNSSEC keys originally generated with bind into our powerdns >> database so we can use the much nicer operational toggles on that. > > Good to hear!
It's really nice how much effort you've put into making powerdns not just "correct" but also practical! >> The zone data is still hosted in bind, but then transferred un-signed into >> powerdns. The MySQL database is replicated to some DNS servers and a few >> others will fetch the (signed) data with AXFR. > > I'm a bit confused by this - so we have: Sorry I wasn't more clear! > Bind -> (slave) -> PowerDNS (which has the keys) -> (slave) -> slaves > | > MySQL > | > + PowerDNS (with no keys) > > (this will look best in a fixed width font). Yes, except the MYSQL "slaves" have the keys too; the whole database is replicated. >> The keys appears (to me) to be imported correctly, but the zone isn't >> getting any RRSIG signatures. > > Do you check by looking into the database? You won't find any RRSIGs there > indeed on the PowerDNS with the keys. Or do you check in the AXFR? Ah, good tip checking the AXFR! I confused myself by not using +dnssec when checking with dig and then by one of the (non-MySQL, non-PowerDNS) slaves not getting NOTIFY messages, I'll send another mail about that. >> pdnssec show-zone output below. Not sure if there's anything else I can >> show to help you show me what I did wrong. I'm using 3.0.1. > > Can you let us know your observations when you ask 'the powerdns with the > dnskeys' a question like this 'dig +dnssec -t a ntppool.com @right-ip' ? Yes, that looks better -- except http://dnssec-debugger.verisignlabs.com/ntppool.com says some of the keys/algorithms don't match. It's complaining about a spurious algorithm 7 DNSKEY that's not included in the RRSIG. You should be able to see it with: $ dig +short +dnssec -t dnskey ntppool.com (DNSKEY with algorithm 7 included) and $ dig +dnssec -t soa ntppool.com (no RRSIG for algo 7). pdnssec shows the algo=7 key as active=0; should I just delete that one with remove-zone-key? $ pdnssec show-zone Syntax: pdnssec show-zone ZONE [[email protected] ~]# pdnssec show-zone ntppool.com Zone has hashed NSEC3 semantics, configuration: 1 1 1 ab Zone is not presigned keys: ID = 16 (KSK), tag = 25339, algo = 8, bits = 2048 Active: 1 KSK DNSKEY = ntppool.com IN DNSKEY 257 3 8 AwEAAdGJ1ccaHQgK6+hlw0CLZ04NM7dIutpS7NGcf2RfCiY0MPXHjfFRfzYH+tzxGuoP0DL8tydW379lAuZiozgjtop3gd3RMffFRfrMFGnp4Xk4aBJ7HHx597/Z+SFru0bLtZjtLc3w9JmmdiYytZKOduwk/XiHD+aW8c67Jr83xAZJSqOXRCKwIDKVT6fAQ2pgrXtgFOXIyFVBIFjeApXj4TaOasJ6CM05wh4zSIz6kGPto8xgP6+FMasH+OGizu+mUT/l4mzXPZUhSqYsTp3rWQ585G2E67JWkncAKwgXA1NoSjqZcTU1xY+1ltIiUVi7rHK4B6WLSi74B+tYN6fgYsk= DS = ntppool.com IN DS 25339 8 1 8022ccda660009983b2dec059222458f37ec6d2c DS = ntppool.com IN DS 25339 8 2 7c518cf2f20e8f3b1497745b76aff3c6be803e15f3d22441f245ed554c7fff05 DS = ntppool.com IN DS 25339 8 3 01d0420b6b8a1b78f5a6883c6347f082160fa093b336c39cce6f7251b113bbe2 ID = 17 (ZSK), tag = 43868, algo = 7, bits = 1024 Active: 0 ID = 18 (ZSK), tag = 55464, algo = 8, bits = 1024 Active: 1 ID = 19 (ZSK), tag = 64518, algo = 8, bits = 1024 Active: 1 > If you are in a position to do this, could you try the latest snapshots from > http://www.powerdnssec.org/ to see what they do in your case? I might try that on a test server and if it works ok in production for my NOTIFY problem and just to help testing the new version -- I really appreciate how helpful you and the rest of the community is. Ask > What you appear to be trying to do, be a 'signing proxy', is a well > supported and oft-used scenario. So it should work! -- http://askask.com/ _______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
