Hi, On Thu, 8 Sep 2016 22:32:05 -0300 Peter Thomassen <[email protected]> wrote:
> I set up a the recursor (4.0.3) with a separate zone file that I > declared authoritative using the auth-zones directive. The zone file > contains DNSSEC signatures. > > However, when querying the recursor using dig +dnssec, only the > requested record types (e.g. A) are returned, but not the RRSIG records > (although they can be requested manually). > > Is this intended? > > I am aware that there would be complications in narrow NSEC3 mode when > non-existent records are queried, but with regular NSEC3, everything > needed can be extracted from the zone file itself (it has an NSEC3PARAM > record). DNSSEC signed zones in the recursor are not supported. We are not even sure that this will be supported in the future. As there is no way (apart from reloading the zones) to e.g. update the signatures. We also don't want to turn the recursor into a 'full-fledged' authoritative server. Can you share (in a GitHub issue) what the masterplan behind this kind of configuration is? Best regards, Pieter -- Pieter Lexis PowerDNS.COM BV -- https://www.powerdns.com _______________________________________________ Pdns-users mailing list [email protected] https://mailman.powerdns.com/mailman/listinfo/pdns-users
