Dear all, I have deployed DNSSEC yesterday for my domains. First, my situation: I have a Windows Server 2008 primary name server and a PowerDNS 3.1 slave server. This slave runs on Ubuntu 12.04 and I have compiled it from source myself. I use the gmysql backend btw.
Now there seems to be something strange going on: I have a domain, tandemse.nl, for which DNSSEC is being used. I have an A-record for *.tandemse.nl. If I ask the Windows server for an A-record for randomsubdomain.tandemse.nl I get this response (sorry for a lot of copy-paste, I truncated useless stuff): -------------- $ dig randomsubdomain.tandemse.nl in A @ns1.tandemse.nl +dnssec […] ;; ANSWER SECTION: randomsubdomain.tandemse.nl. 3600 IN A 80.113.202.87 randomsubdomain.tandemse.nl. 3600 IN RRSIG A 5 2 3600 20120904082043 20120805082043 18273 tandemse.nl. BIev96aAl3DfATr+sepXXdf54ohBzV2EBViGl/iwXDY/upPBBsSVgwh5 gOwgRl7U/lyb176N4koav0Ay5JJhhFFllk7kmkfnlLGfQ3g0JwpRXkKG BMaaUZRJdzrQs5TYoLgrLvnJnkGcXnGD926q+jb2pOAKcJMvcaJczUcP BFfhDKhyOrvUar/PARsCBlL4H3nWz3pmdXEW/m49/aJ0TMTq1bxgbSvR sSfpyTyERQI1mYRpiwU7soDsodVGFDMLKcwIqi07fV1I9TwYrYKgKUkp TuHThZd/46HygCwrZIHNyRQRIldn/5gqBKtxlSc6rkUNlVJnNc+qrpFy Otgskg== ;; AUTHORITY SECTION: rails-server.tandemse.nl. 3600 IN NSEC tandemse.nl. A AAAA RRSIG NSEC rails-server.tandemse.nl. 3600 IN RRSIG NSEC 5 3 3600 20120904082043 20120805082043 18273 tandemse.nl. lgKh6d6DEUsuq2IEBSxqwwYRXV3uCkRdnNavCyr2mLkI19skLNEBIkRH n3GGGRjD8jUFF4LT/dKl8deZhMsNoXgC3Xzr5XGumuy9GHn8ZgS/Gx9T a4444GrBtSZJq+RZ2l2AQ4aCd5I0FBHt4i9du50XNRygWOYGsVdIdE+G qSBhltKU2NOm4IfnkGIYSgbMcQJMr2oNZXG/O0wo937D9XEbMoxOMnUj PYdW6/0m/PdbHGPVzg5+GlncDpK+IwGSm39WG4M4ModKJWr0y+3i8cAB CIIzdX7zSsbzZOddySeHMfGH2EKNFrpDURWH/ls1rmjnqhrVa4udFKhh +Bx6CA== […] -------------- However, when I ask my slave PowerDNS server, I get the following response; -------------- $ dig randomsubdomain.tandemse.nl in A @ns2.tandemse.nl +dnssec […] ;; ANSWER SECTION: randomsubdomain.tandemse.nl. 3600 IN A 80.113.202.87 ;; AUTHORITY SECTION: rails-server.tandemse.nl. 3600 IN NSEC _autodiscover._tcp.tandemse.nl. A AAAA RRSIG NSEC rails-server.tandemse.nl. 3600 IN RRSIG NSEC 5 3 3600 20120904082043 20120805082043 18273 tandemse.nl. lgKh6d6DEUsuq2IEBSxqwwYRXV3uCkRdnNavCyr2mLkI19skLNEBIkRH n3GGGRjD8jUFF4LT/dKl8deZhMsNoXgC3Xzr5XGumuy9GHn8ZgS/Gx9T a4444GrBtSZJq+RZ2l2AQ4aCd5I0FBHt4i9du50XNRygWOYGsVdIdE+G qSBhltKU2NOm4IfnkGIYSgbMcQJMr2oNZXG/O0wo937D9XEbMoxOMnUj PYdW6/0m/PdbHGPVzg5+GlncDpK+IwGSm39WG4M4ModKJWr0y+3i8cAB CIIzdX7zSsbzZOddySeHMfGH2EKNFrpDURWH/ls1rmjnqhrVa4udFKhh +Bx6CA== […] -------------- As can be seen, the RRSIG for the A-record is missing (and the NSEC is different, which should also not be the case right?). Now my question is: is the Windows Server doing this wrong or is it the PowerDNS slave? Because the A-record is for "*" and not for "randomsubdomain". Regards, Nicky Gerritsen p.s. yes I know I should better use NSEC3; however apparently Windows Server does not support this :(
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
