Hi Peter,
On 05/20/2015 01:31 PM, Peter Thomassen wrote:
Yes, I saw that. However, I am using PowerDNS 3.3 on the slaves, so that
can't be it ...
Is the zone on the slave set to pre-signed? If not, PowerDNS ignores
in-zone RRSIGs and other DNSSEC related data. You can set this by
running `pdnssec set-presigned desec.io` on the slaves[1]. If you use
NSEC3, you should also run `pdnssec set-nsec3 desec.io` on the slaves[2].
You might need to AXFR the zones to the slaves once more after this.
I must admit, the documentation really lacks in this regard (sorry). We
will try to fix this somewhere down the line.
Best regards,
Pieter
1 - https://doc.powerdns.com/md/authoritative/dnssec/#pdnssec
2 -
https://doc.powerdns.com/md/authoritative/dnssec/#from-existing-dnssec-non-powerdns-setups-pre-signed
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users
