Hi Folks, I can confirm this problem got fixed in build 2181.
This build also fixes "[Pdns-users] DNSsec DS trouble in single server TLD setup". On Tue, Apr 26, 2011 at 06:00:02PM +0200, Niek wrote: > Hi Folks, > > In addition to the findings I communicated to this list in "DNSsec DS trouble > in single server TLD setup" on Thu Apr 21, I tried to delegate a subdomain > with > DNSsec on PowerDNS Server (pdns-3.0-rc2.20110419.2176). > > If both parent domain and child domain are hosted within the same instance of > PowerDNS (with mysql backend), I fail because PowerDNS refuses to serve me the > DS of the subzone. > > I do not know if this is the normal way to go for this sort of thing, the > alternative is to put the child RR's into the parent zone. This works fine, > but putting it all into the parent zone becomes very messy very fast. > As an ISP we have subzones with 40,000+ RR's, I'm not especially looking > forward to bundling those into 200,000+ RR zones. > > Also, if you put al records in the parent zone, you will have a harder time > delegating reponsibilities for sub zones to e.g. another office. You can in > this scenario make two extra servers of course, but then you have to take care > of 4 servers. > > > Here's what I did: > > domain_id 5 = parent (pre-exists) > domain_id 6 = child > > Create subdomain > ========================================================================= > INSERT INTO `powerdns`.`domains` ( > `id` , > `name` , > `master` , > `last_check` , > `type` , > `notified_serial` , > `account` > ) > VALUES ( > NULL , 'sales.securename.nl', NULL , NULL , 'NATIVE', NULL , NULL > ) > > > NS of subdomain in child zone > ========================================================================= > INSERT INTO `powerdns`.`records` ( > `id` , > `domain_id` , > `name` , > `type` , > `content` , > `ttl` , > `prio` , > `change_date` , > `ordername` , > `auth` > ) > VALUES ( > NULL , '6', 'sales.securename.nl', 'NS', > 'dnssec-auth-bis.mer-nm.internl.net', '600', '0', NULL , NULL , '1' > ); > > > SOA of subdomain in child zone > ========================================================================= > INSERT INTO `powerdns`.`records` ( > `id` , > `domain_id` , > `name` , > `type` , > `content` , > `ttl` , > `prio` , > `change_date` , > `ordername` , > `auth` > ) > VALUES ( > NULL , '6', 'sales.securename.nl', 'SOA', 'dnssec-auth-bis.mer-nm.internl.net > blah.internl.net 2011042600 7200 3600 604800 3600', '600', '0', NULL , NULL , > '1' > ); > > > MX of subdomain in child zone > ========================================================================= > INSERT INTO `powerdns`.`records` ( > `id` , > `domain_id` , > `name` , > `type` , > `content` , > `ttl` , > `prio` , > `change_date` , > `ordername` , > `auth` > ) > VALUES ( > NULL , '6', 'sales.securename.nl', 'MX', 'mail.sales.securename.nl', '600', > '10', NULL , NULL , '1' > ); > > > A of MX of subdomain in child zone > ========================================================================= > INSERT INTO `powerdns`.`records` ( > `id` , > `domain_id` , > `name` , > `type` , > `content` , > `ttl` , > `prio` , > `change_date` , > `ordername` , > `auth` > ) > VALUES ( > NULL , '6', 'mail.sales.securename.nl', 'A', '1.2.3.4', '600', '0', NULL , > NULL , '1' > ); > > > Check > =========================================================================== > dig +multiline ns sales.securename.nl @dnssec-auth-bis.mer-nm.internl.net > -> works > dig +multiline soa sales.securename.nl @dnssec-auth-bis.mer-nm.internl.net > -> works > > > DNSsec-ify > =========================================================================== > pdnssec secure-zone sales.securename.nl > pdnssec set-nsec3 sales.securename.nl > pdnssec rectify-zone sales.securename.nl > pdnssec check-zone sales.securename.nl > > pdnssec show-zone sales.securename.nl > DS = sales.securename.nl IN DS 42385 8 2 > ec12ab2e160eab1681ea3031b2d72b04d61a58cc914ecb68a3a39a17d5eb0eb6 > > INSERT INTO `powerdns`.`records` ( > `id` , > `domain_id` , > `name` , > `type` , > `content` , > `ttl` , > `prio` , > `change_date` , > `ordername` , > `auth` > ) > VALUES ( > NULL , '5', 'sales.securename.nl', 'DS', '42385 8 2 > ec12ab2e160eab1681ea3031b2d72b04d61a58cc914ecb68a3a39a17d5eb0eb6', '600', > '0', NULL , NULL , '1' > ); > > pdnssec rectify-zone sales.securename.nl > pdnssec rectify-zone securename.nl > > /etc/init.d/pdns restart > > dig +multiline +dnssec dnskey sales.securename.nl > @dnssec-auth-bis.mer-nm.internl.net -> works > dig +multiline +dnssec soa sales.securename.nl > @dnssec-auth-bis.mer-nm.internl.net -> works > dig +multiline +dnssec ns sales.securename.nl > @dnssec-auth-bis.mer-nm.internl.net -> works > dig +multiline +dnssec ds sales.securename.nl > @dnssec-auth-bis.mer-nm.internl.net -> Fails, only NSEC3 output > > Which means that validation fails. > > > Any remarks or suggestions? > > BTW, this setup no longer exists, but I can re-create it if needed. > > > > Kind regards, > -- Niek > ---------------------------------------------------------------- > _______________________________________________ > Pdns-users mailing list > Pdns-users@mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users > Grtz, -- Niek ---------------------------------------------------------------- _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
