On Sun, Feb 19, 2012 at 10:51:31AM -0800, Ask Bjørn Hansen wrote: > > Good to hear! > > It's really nice how much effort you've put into making powerdns not just > "correct" but also practical!
We held out a long time before doing DNSSEC. When we did decide to do it, we wanted to do it *right* in practice. > I confused myself by not using +dnssec when checking with dig and then by > one of the (non-MySQL, non-PowerDNS) slaves not getting NOTIFY messages, > I'll send another mail about that. PowerDNS 3.1 will also serve up RRSIGs without +dnssec, btw. It turns out that 3.0 is too strict in this respect. > > Can you let us know your observations when you ask 'the powerdns with the > > dnskeys' a question like this 'dig +dnssec -t a ntppool.com @right-ip' ? > > Yes, that looks better -- except > http://dnssec-debugger.verisignlabs.com/ntppool.com says some of the > keys/algorithms don't match. > > It's complaining about a spurious algorithm 7 DNSKEY that's not included in > the RRSIG. It actually says something more complicated. It says that if you have DNSKEYs of multiple algorithms, you should have RRSIGs in all those algorithms. I'm not sure why this is, but do you really need DNSKEYs of different algorithms? > > You should be able to see it with: > > $ dig +short +dnssec -t dnskey ntppool.com > (DNSKEY with algorithm 7 included) > > and > > $ dig +dnssec -t soa ntppool.com > > (no RRSIG for algo 7). > > pdnssec shows the algo=7 key as active=0; should I just delete that one with > remove-zone-key? If you do, the problem will go away. This is probably a bug in your configuration - I think. Maybe we shouldn't allow it. If you have multiple different algorithms for your DNSKEYs, you must have at least one of each algorithm 'active'. This is probably to prevent downgrade attacks. > > If you are in a position to do this, could you try the latest snapshots from > > http://www.powerdnssec.org/ to see what they do in your case? > > I might try that on a test server and if it works ok in production for my > NOTIFY problem and just to help testing the new version -- I really > appreciate how helpful you and the rest of the community is. We try! Bert _______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
