On Wed, May 20, 2015 at 01:34:59PM +0200, Peter Thomassen wrote: > Hi Leen, > > On 05/20/2015 12:32 PM, Leen Besselink wrote: > >> # these failed: > >> dig @ns1.desec.io +dnssec +norec desec.io DNSKEY > >> dig @ns1.desec.io +dnssec +norec desec.io A > >> > >> Here is a working example with an RRSIG for the DNSKEY query: > [...] > > As we can see, no RRSIG-record on your domain, my guess would be the > > transfered domain isn't properly signed before it's transfered: > > > > $ dig +dnssec +norec @ns1.desec.io desec.io DNSKEY > [...] > > I would try the same query on the hidden master first. > > I did try that, and when I query the hidden master, in fact I do get the > RRSIG records for free. Why is that not the case for the slaves? > > I made the hidden master available at desec.io temporarily -- so, compare > > dig +dnssec +norec @desec.io desec.io A > dig +dnssec +norec @ns1.desec.io desec.io A > > This really confuses me. >
Does your slave have DNSSEC enabled in the config ? Looks like BIND zone file backend needs: bind-dnssec-db: https://doc.powerdns.com/md/authoritative/backend-bind/ And maybe you need to do an extra step ?: "PowerDNS needs to know if a zone should receive DNSSEC processing. To configure, run pdnssec set-presigned zone." https://doc.powerdns.com/md/authoritative/dnssec/#from-existing-dnssec-non-powerdns-setups-pre-signed > Best, > Peter _______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
