[Pdns-users] Additional NSEC3-Record in Response - DNSSEC Validation fails
Hi, I did some more DNSSEC-testing and found another bug: My setup looks like this: Bind accting as Master server, serving a presigned zone. PDNS 3.0 accting as Slave server, PRESIGNED=1 and NSEC3PARAM is set in Domainmetatable. When querying for an undefined records, PDNS adds an additional NSEC3-Record into the response and the validation of the response failes. Response from Bind: ;; QUESTION SECTION: ;notfound.nsec3test.at. IN A ;; AUTHORITY SECTION: nsec3test.at. 600 IN SOA ns2.at43.at. mib.nic.at. 3 1200 3600 604800 600 nsec3test.at. 600 IN RRSIG SOA 7 2 600 20110921115504 20110822115504 54530 nsec3test.at. CAljGUcw6e2pHiajLF+T0uCNfBrrtF2ZleDKrPe8gWiBOSmrhGPDGRVQ NUF5CX07AkBvG1pfoe5IKB4sIri0Un9C7MGznKNgc/1xBnmWBFCYzILS 8SkFzyyNalYYpvNnhO7q+MpE6kciv3soZbZJ+fl8Y2xibvvvYswO+vPy 0l4= O8IVN054N94M5JUQ5H7G0I882UAHH62U.nsec3test.at. 600 IN NSEC3 1 1 10 - NCH5FA1SAKRN1LLO8EKOK28S80L05EQE NS SOA RRSIG DNSKEY NSEC3PARAM O8IVN054N94M5JUQ5H7G0I882UAHH62U.nsec3test.at. 600 IN RRSIG NSEC3 7 3 600 20110921115504 20110822115504 54530 nsec3test.at. Z5lAmFDBRLYO2J/l2o1CwYfcuuvSixR26B5GIPTDaNvxRdHkVIJEHctQ Hc+4xie3POEed4eZBuYF2mqCCaF0GC5d0D5Y8sJui7Vu3oGxmwWO49vm e0WnNL4WiXWUzd0hOEobK/XJn6ObHLscbR5SmupdIdpA5DaJZ1w1VPQp faw= The same query against the PDNS: ;; QUESTION SECTION: ;notfound.nsec3test.at. IN A ;; AUTHORITY SECTION: nsec3test.at. 600 IN SOA ns2.at43.at. mib.nic.at. 3 86400 3600 604800 600 nsec3test.at. 600 IN RRSIG SOA 7 2 600 20110921115504 20110822115504 54530 nsec3test.at. CAljGUcw6e2pHiajLF+T0uCNfBrrtF2ZleDKrPe8gWiBOSmrhGPDGRVQ NUF5CX07AkBvG1pfoe5IKB4sIri0Un9C7MGznKNgc/1xBnmWBFCYzILS 8SkFzyyNalYYpvNnhO7q+MpE6kciv3soZbZJ+fl8Y2xibvvvYswO+vPy 0l4= o8ivn054n94m5juq5h7g0i882uahh62u.nsec3test.at. 0 IN NSEC3 1 1 10 - 66R3IIGV513QGD458A2S11T0MH3E6IET NS SOA RRSIG DNSKEY NSEC3PARAM o8ivn054n94m5juq5h7g0i882uahh62u.nsec3test.at. 600 IN RRSIG NSEC3 7 3 600 20110921115504 20110822115504 54530 nsec3test.at. Z5lAmFDBRLYO2J/l2o1CwYfcuuvSixR26B5GIPTDaNvxRdHkVIJEHctQ Hc+4xie3POEed4eZBuYF2mqCCaF0GC5d0D5Y8sJui7Vu3oGxmwWO49vm e0WnNL4WiXWUzd0hOEobK/XJn6ObHLscbR5SmupdIdpA5DaJZ1w1VPQp faw= 76nqadco30ibl06a9vmdvu7r31l6r3oi.nsec3test.at. 600 IN NSEC3 1 1 10 - NCH5FA1SAKRN1LLO8EKOK28S80L05EQE RRSIG The last line is the additional NSEC3-Record. Can you please have a look? Thanks in advance and Best, Michael ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] pdns generates records when presigned=1 is set
Hi, I noticed a strange dnssec behavoir with pdns 3.0 (and postgresql-backend): I have loaded a zone into the db, the zone is unsigned but the domainmetadata presigned is set to 1. Everything works fine, except if I ask for a non-available record (with dnssec-ok flag set in the query), then I receive 2 additional NSEC-records: Without DNSSEC-OK Query flag: ;; QUESTION SECTION: ;.unsigned.at. IN A ;; AUTHORITY SECTION: unsigned.at.3600IN SOA ns2.at43.at. office.enum.at. 2 1200 3600 604800 600 With DNSSEC-OK Query flag: ;; QUESTION SECTION: ;.unsigned.at. IN A ;; AUTHORITY SECTION: unsigned.at.3600IN SOA ns2.at43.at. office.enum.at. 2 1200 3600 604800 600 www.unsigned.at.3600IN NSECwww.unsigned.at. A RRSIG NSEC unsigned.at.3600IN NSECwww.unsigned.at. A NS SOA MX RRSIG NSEC DNSKEY I know this setup (PRESIGNED=1 and an unsigned domain) is an undocumented setup, but I think it will be a good feature if PRESIGNED=1 disables all automatic record generation and pdns serves only the records it has configured in its backend. So it will be possible, if I have a lot of slave zones, which are mixed between DNSSEC signed and non-signed, to configure all zones the same way (like in Bind). Do you have any comments on this? Best, Michael ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] PowerDNSSEC
Hi, I'm currently evaluating the PowerDNSSEC implementation and found 2 issues: -) Is it possible to disable the signing-on-demand feature? I want the powerdns to act as slave to a hidden-master which does the signing of the domain, and the powerdns should just serve the signed zone (without any resigning and without access to the Keys). -) I tried the PostgreSQL-Backend, but I allways received the following error message: TCP server is unable to launch backends - will try again when questions come in: Undefined but needed argument: 'gpgsql-dnssec'. What is the format of the missing gpgsql-dnssec'-Parameter I've to add? Best, Michael ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users