Re: [Pdns-users] Impact of DNSSEC with Sub Domain Zones
Hi All, Just want to give you all an update on how this went as I ran into issues with this implementation. What I did first: * Enabled DNSSEC on primary domain (domain.com) * Added DS Records to domain registrar. What worked: All DNS records under the primary zone worked and resolved without any issues. What broke : All subdomain DNS zones failed to resolve. Resolution: Disabled DNSSEC and removed DS Records from regitrar. Everything worked after a short while What I'm currently doing: * Disabled DNSSEC on primary domain zome. * Enabled DNSSEC on subdomain zone (sub1.domain.com). * Added DS and NS records under primary zone (domain.com) * sub1 NS 3600 ns1.domain.com * sub1 DS 3600 xxx What works: all subdomain zones resolve without any issues. I've not yet enabled DNSSEC on the primary DNS zone. Hoping to get it done over the weekend. Kind Regards, Asanka Gunasekara P: 1300 825 587 E: supp...@talkup.com.au [http://talkup.com.au/] | W: www.talkup.com.au [http://www.talkup.com.au/] Postal Address: PO Box 24, Varsity Lakes QLD 4227 Please consider the environment before printing this e-mail This email message and any attachments are confidential. If you are not the intended recipient, you are notified that any unauthorised disclosure, copying, distribution or use of this information is strictly prohibited. If you have received this email in error, please notify us immediately by return email, or telephone 1300 825 587, and destroy the original message. We have taken precautions to minimise the risk of transmitting software viruses, but we advise you to carry out your own virus checks on any attachment to this message. We cannot accept liability for any loss or damage caused by software viruses. On 5/03/2019 11:24:27 AM, Asanka Gunasekara wrote: Hi Peter, Thanks for information. I have done just that :) Kind Regards, Asanka Kind Regards, Asanka Gunasekara P: 1300 825 587 E: supp...@talkup.com.au [http://talkup.com.au/] | W: www.talkup.com.au [http://www.talkup.com.au/] Postal Address: PO Box 24, Varsity Lakes QLD 4227 Please consider the environment before printing this e-mail This email message and any attachments are confidential. If you are not the intended recipient, you are notified that any unauthorised disclosure, copying, distribution or use of this information is strictly prohibited. If you have received this email in error, please notify us immediately by return email, or telephone 1300 825 587, and destroy the original message. We have taken precautions to minimise the risk of transmitting software viruses, but we advise you to carry out your own virus checks on any attachment to this message. We cannot accept liability for any loss or damage caused by software viruses. On 26/02/2019 10:31:10 PM, Peter van Dijk wrote: Hello On 26 Feb 2019, at 5:43, Asanka Gunasekara wrote: > I'm sure this is a pretty dumb question but my knowledge on DNSSEC is > very limited so hope you guys/gals can help me out. > > We use PowerDNS as our Authorative DNS and everything is configured > here. We use PowerDNS-Admin > [https://github.com/ngoduykhanh/PowerDNS-Admin] as our GUI. > > I have our primary domain: domain.com and it is split up into several > sub-domain zones for ease of management. > Eg: > Zone1 - domain.com > Zone2 - sub1.domain.com > Zone3 - sub2.domain.com > > Q1) If I enable DNSSEC between Zone1 above and domain registrar, would > zones 2 and 3 stop functioning? They will keep working, but in insecure mode, as long as there is a correct delegation (NS records for Zone2 and Zone3) in Zone1. > Q2) How do I enable DNSSEC on sub zones? For Zone1, you presumably enabled DNSSEC in your Admin and then sent the DNSKEY or DS to the parent operator (.com), who then puts a DS in that parent zone. For Zone2 and Zone3, you are the parent operator, so enable DNSSEC, and then put the DS records in Zone1. Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] Question about PDNS SOA presentation.
Hi Peter, That's interesting. My pdns.conf did not have default-soa-edit line. Also didn't even know about that option. Don't have any domain specific soa meta configs in the mysql database. Looking into the database I found. MariaDB [powerdns]> select * from domainmetadata -> ; ++---++-+ | id | domain_id | kind | CONTENT | ++---++-+ | 1 | 1 | NSEC3PARAM | 1 0 1 ab| | 2 | 1 | SOA-EDIT | INCREMENT-WEEKS | ++---++-+ 2 rows in set (0.00 sec) Didn't setup the fields. Either it was when I signed the domain. No matter.. Setting the SOA-EDIT to "" I get back the correct values. Thanks Peter! Been scratching my head about this for a while. Regards, Michael ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Question about PDNS SOA presentation.
On 6 Mar 2019, at 8:06, Michael Van Der Beek wrote: ;; ANSWER SECTION: cyber-mage.com. 86400 IN SOA ns1.linode.com. hostmaster.cyber-mage.com. 2019033066 28800 7200 1209600 86400 | 1 | 1 | cyber-mage.com | SOA | ns1.linode.com hostmaster.cyber-mage.com 2019030501 28800 7200 1209600 86400 | 86400 |0 |NULL |0 | rvms80ecrvpfkr7n6a3ksp4tc5f2g9bk | 1 | 2019033066 - 2019030501 = 2566, which happens to be the number of weeks since January 1, 1970. In other words, it looks like you have SOA-EDIT=INCREMENT-WEEKS configured, described at https://doc.powerdns.com/authoritative/dnssec/operational.html#increment-weeks Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PDNS-Recursor cache and forwarding-all-queries
> On 07.03.19 10:48, Pedro David Marco via Pdns-users wrote: >> is it possible with PDNS-Recursor to forward "all queries" to another >> server??? in this scenario, does it queries its own cache before >> forwarding the query? First of all, why would you want to do that? If you want to forward everything to another server with some caching, please have a look at dnsdist instead. Best regards, -- Remi Gacogne PowerDNS.COM BV - https://www.powerdns.com/ signature.asc Description: OpenPGP digital signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PDNS-Recursor cache and forwarding-all-queries
pdns_recursor.conf: forward-zones=/etc/pdns_recursor/forward.zones put this in your forward.zones +.= On 07.03.19 10:48, Pedro David Marco via Pdns-users wrote: Hi, Please excuse me if my questions seem too basic... is it possible with PDNS-Recursor to forward "all queries" to another server??? in this scenario, does it queries its own cache before forwarding the query? Thanks! -- Pedro ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] PDNS-Recursor cache and forwarding-all-queries
Hi, Please excuse me if my questions seem too basic... is it possible with PDNS-Recursor to forward "all queries" to another server??? in this scenario, does it queries its own cache before forwarding the query? Thanks! --Pedro ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] Question about PDNS SOA presentation.
Hi Frank, After removing the recursor option in pdns.conf dig @72.14.187.43 cyber-mage.com SOA ; <<>> DiG 9.2.4 <<>> @72.14.187.43 cyber-mage.com SOA ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22124 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;cyber-mage.com.IN SOA ;; ANSWER SECTION: cyber-mage.com. 86400 IN SOA ns1.linode.com. hostmaster.cyber-mage.com. 2019033067 28800 7200 1209600 86400 ;; Query time: 200 msec ;; SERVER: 72.14.187.43#53(72.14.187.43) ;; WHEN: Thu Mar 7 16:16:19 2019 ;; MSG SIZE rcvd: 90 It still wrong. Read in this mailing list that somebody complained about the pdnsutils increase soa record time also results in a random last 4 digits instead of increasing it sequentially. But nobody replied to him. His version was 4.1.x. I presume that in his case the first setup was correct. Maybe it was partially fixed from 4.0.6 to 4.1.x Regards, Michael ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
