> On Jan 9, 2016, at 3:28 PM, Pieter Lexis <[email protected]> wrote: > > Hi Nick, > > On Sat, 9 Jan 2016 14:48:12 -0600 > Nicholas Williams <[email protected]> wrote: > >> But the documentation says the opposite. It says NOT to create >> NSEC(3) records (in fact, zone2sql intentionally ignores them, even >> for presigned zones), because (again, it says) PowerDNS generates >> then automatically, even for presigned zones. It also says that >> manually inserting NSEC3 records could cause errors. So the >> documentation makes clear that, on presigned zones, it is still the >> authority. Indeed, PowerDNS IS generating the NSEC3 records (as I >> showed), just not signing them. > > This is indeed the way this works. As the NXDOMAIN generation code > works as it should, the design choice was made to 'just' generate NSECs > on the fly. The signatures still have to be provided in the presigned > zone. > >> How could I possibly presign records that PowerDNS generates? I >> can't. So why does PowerDNS prohibit me creating NSEC3 records, >> generate them for me, but not sign them? > > This is because pre-signed zones (from e.g. opendnssec, ldns-signzone > or slaved from a master) contain the RRSIGs to the negative answers. > >> That is, at best, poor design. But I'm confident it's a bug or I've >> configured something incorrectly. > > I agree this is and 'interesting' design choice made back in the day. > In normal operation (using other tools to generate DNSSEC records or > slaving the zone) this will never come up. > > I agree that the docs are not very verbose on how presigned zone work, > we'll fix this in the coming weeks.
So I need to create signatures for the NSEC3 records, and insert those signatures, but not the NSEC3 records? Fascinating. Let me try this out… I started from scratch to ensure I didn’t mess something else up… I copied ALL of the RRSIGs this time, including the ones for the NSEC3 records, but I did not copy the NSEC3 records… And it works! Everything passes the verification checks and I can resolve both A records through my verifying recursors. $ host good.e7d8ca.test.my-zone.com good.e7d8ca.test.dnscrawler.com has address x.x.x.x $ host bad.e7d8ca.test.my-zone.com bad.e7d8ca.test.dnscrawler.com has address x.x.x.x Now, to munge the signature for bad.e7d8ca.test.my-zone.com <http://bad.e7d8ca.test.my-zone.com/>… And it works! From my verifying recursors: $ host good.e7d8ca.test.my-zone.com good.e7d8ca.test.dnscrawler.com has address x.x.x.x $ host bad.e7d8ca.test.my-zone.com Host bad.e7d8ca.test.dnscrawler.com not found: 3(NXDOMAIN) From non-verifying recursors: $ host good.e7d8ca.test.my-zone.com 4.2.2.2 Using domain server: Name: 4.2.2.2 Address: 4.2.2.2#53 Aliases: good.e7d8ca.test.my-zone.com has address x.x.x.x $ host bad.e7d8ca.test.my-zone.com 4.2.2.2 Using domain server: Name: 4.2.2.2 Address: 4.2.2.2#53 Aliases: bad.e7d8ca.test.my-zone.com has address x.x.x.x Thanks for all your help. I still maintain that requiring presigners to provide RRSIG NSEC3 records but NOT provide the NSEC3 records is a bad idea. At the very least, as you said, the documentation needs significant enhancement. But I did get it to work, finally. Thanks again, Nick
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
