On Tue, 17 Jul 2012 14:42:09 +0300, Aki Tuomi wrote: > On Tue, Jul 17, 2012 at 01:24:19PM +0200, Christof Meerwald wrote: >> Whatever you call it - RRSIG records shouldn't be duplicated during an >> AXFR. For a pre-signed zone, the RRSIG records are part of the zone >> data, but the signer tries to add another set of RRSIG records - so >> one set of RRSIG records need to be suppressed. > So... Correct me if I am wrong but you are transferring a pre-signed zone > with AXFR from master, and master tries to sign it again? Or did I understo= > od > you completely wrong? Can you give more details on the problem you are > experiencing? Btw, it cannot sign your records without signing key.=20
Well, when you have a pre-signed zone in PowerDNS, it tries to add the appropriate (existing) RRSIG records to any responses. This logic also applies to AXFRs where PowerDNS tries to add the appropriate RRSIG records to the zone data during. But as you already have a pre-signed zone, the RRSIG records are already in the zone data and adding them again just results in duplicates. So either you ignore the RRSIG records and let PowerDNS add them again during the zone transfer processing (which has the benefit of keeping most of the logic common) or you can special-case the AXFR logic for pre-signed zones where it just dumps the zone data without doing any post-processing for RRSIG records. So main problem with 3.1 is that you get duplicate RRSIG records from an AXFR, but the NSEC3PARAM record is also broken and you get some unwanted additional NSEC3 records. Christof -- http://cmeerw.org sip:cmeerw at cmeerw.org mailto:cmeerw at cmeerw.org xmpp:cmeerw at cmeerw.org _______________________________________________ Pdns-dev mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-dev
