Hi Pieter, On 05/20/2015 01:42 PM, Pieter Lexis wrote: > On 05/20/2015 01:31 PM, Peter Thomassen wrote: >> Yes, I saw that. However, I am using PowerDNS 3.3 on the slaves, so that >> can't be it ... > > Is the zone on the slave set to pre-signed? If not, PowerDNS ignores > in-zone RRSIGs and other DNSSEC related data. You can set this by > running `pdnssec set-presigned desec.io` on the slaves[1]. If you use > NSEC3, you should also run `pdnssec set-nsec3 desec.io` on the slaves[2].
I had set the zone to pre-signed, but this was (silently) unsuccessful, because I had not created the bind-dnssec database yet. I had assumed that the slaves would not need the database file since there is no key material present on the slaves. Now that I created the database, added it to the configuration file, and ran the above commands, everything is working. I am using the supermaster/superslave mechanism. Let's say I'm creating a new zone on the supermaster and turn on DNSSEC for it. Will I have to run set-presigned and set-nsec3 on each of the slaves manually? > I must admit, the documentation really lacks in this regard (sorry). We > will try to fix this somewhere down the line. No worries, the documentation still has proven very helpful in all other regards. And I really appreciate the community support here. :-) Best regards, Peter
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
