Out of curiosity, what DOES PowerDNS do if it finds an both an A and an RRSIG record for a.b.c.com in the database?
Nick On Wed, Jan 6, 2016 at 12:33 PM, Aki Tuomi <[email protected]> wrote: > The code does not support this but you might be able to use postresolve > Lua hook to break the reply signature. > > --- > Aki Tuomi > -------- Alkuperäinen viesti -------- > Lähettäjä: Nick Williams <[email protected]> > Päivämäärä: 6.1.2016 19.54 (GMT+02:00) > Saaja: pdns-users Users <[email protected]> > Aihe: [Pdns-users] Setting up intentionally invalid DNSSEC record in > auto-secure environment > > Hi all, > > We're running a PowerDNS 3.4.6 installation with the MySQL backend, and > we’re using pdnsutil secure-zone/set-nsec3/rectify-zone to automatically > secure all of our domains (the least-effort method, instead of manually > signing everything). It works great. Thanks for the excellent software! > > To support an internal testing tool, I would like to set up a few DNS > records on a subdomain of one of our signed domains, and have those DNS > records //intentionally invalidly signed// so that verifying resolvers will > flag them and not return them. What is the best way to do this? Can I > simply manually enter an invalid RRSIG record for each record, and that > manual record will take precedence over any automatic signing that PowerDNS > preforms? Or do I need to take some other step (perhaps it requires a > separate domain)? Or is what I want to do impossible with PowerDNS > automatic signing enabled? > > Thanks! > > Nick Williams > _______________________________________________ > Pdns-users mailing list > [email protected] > http://mailman.powerdns.com/mailman/listinfo/pdns-users >
_______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
