I am trying to use PowerDNS for test purposes. I have the 3.3-2 versions of pdns-server-backend-pipe and pdns-server rpms installed on el6.
I created and signed three zone files with Bind 9.10 representing the root zone, net zone, and the domain kitchensink.net. I am using the pipe backend for EDNS client subnet testing against some com domains, and the bind backend for root, net, and kitchensink.net. All were signed, with DS records created in parent zones, etc. using dnssec-keygen, dnssec-sign-zone, and dnssec-dsfromkey tools provided with Bind 9.10. All of my keys use RSASHA256. When I serve these zones using named, it works flawlessly and my unbound server has no trust anchor complaints. When I dig for "net ds +dnssec" the DS and RRSIG records are properly returned. I tried to implement these zones in PowerDNS as pre-signed. I created my DNSSEC database using pdnssec create-bind-db and then issued pdnssec set-presigned commands for "", net, and kitchensink.net. I experience no errors when doing so and neither see any errors when I start the pdns-server. I also see that corresponding rows have been created in the domainmetadata table. My unbound server complains that there are no signatures for the .net DS record when PowerDNS is the authoritative nameserver. And sure enough, when I execute dig against the pdns-server, it fails to return the RRSIG for the DS record, even though the record clearly exists in the signed root zone. I don't see this problem with kitchensink.net. I'm at my wit's end as to how to resolve this problem. Any suggestions as to things I can look at? Like I said, it works flawlessly with named from Bind 9.10. Thanks, Craig
_______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
