A week ago, Peter van Dijk wrote: > Klaus Darilion wrote: > > Further, I wonder why and how Powerdns synthesis the NSEC3 records on > > the fly? In our setup PDNS is a secondary, the signing happens on the > > master. Thus, PDNS receives the zone with AXFR, including the NSEC3 > > records and the corresponding RRSIG records. Then, PDNS ignores all the > > NSEC3 records and synthesis them newly. [...] > > Apart from opt out vs. no opt out, we have had zero reports of our > synthesis breaking original signatures.
I think the main point is: If pdns is configured _not_ to do DNSSEC signing, why does it touch/generate any DNSSEC-RRs at all, and what key material is used for it? Definitely not the original zones', b'cause private keys are not included in AXFR, no? I'd say, either there's a misconfiguration in this specific setup of PDNS that makes it think it has to do DNSSEC signing, or there is a fat bug in PDNS. Kind regards, Sebastian _______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
