Hi,
I noticed a strange dnssec behavoir with pdns 3.0 (and postgresql-backend):
I have loaded a zone into the db, the zone is unsigned but the
domainmetadata "presigned" is set to 1.
Everything works fine, except if I ask for a non-available record (with
dnssec-ok flag set in the query), then I receive 2 additional NSEC-records:
Without DNSSEC-OK Query flag:
;; QUESTION SECTION:
;xxxx.unsigned.at. IN A
;; AUTHORITY SECTION:
unsigned.at. 3600 IN SOA ns2.at43.at.
office.enum.at. 2 1200 3600 604800 600
With DNSSEC-OK Query flag:
;; QUESTION SECTION:
;xxxx.unsigned.at. IN A
;; AUTHORITY SECTION:
unsigned.at. 3600 IN SOA ns2.at43.at.
office.enum.at. 2 1200 3600 604800 600
www.unsigned.at. 3600 IN NSEC www.unsigned.at. A AAAA
RRSIG NSEC
unsigned.at. 3600 IN NSEC www.unsigned.at. A NS
SOA MX AAAA RRSIG NSEC DNSKEY
I know this setup (PRESIGNED=1 and an unsigned domain) is an
undocumented setup, but I think it will be a good feature if PRESIGNED=1
disables all automatic record generation and pdns serves only the
records it has configured in its backend. So it will be possible, if I
have a lot of slave zones, which are mixed between DNSSEC signed and
non-signed, to configure all zones the same way (like in Bind).
Do you have any comments on this?
Best,
Michael
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users
