Hi Nick, On Sat, 9 Jan 2016 14:48:12 -0600 Nicholas Williams <nicho...@nicholaswilliams.net> wrote:
> But the documentation says the opposite. It says NOT to create > NSEC(3) records (in fact, zone2sql intentionally ignores them, even > for presigned zones), because (again, it says) PowerDNS generates > then automatically, even for presigned zones. It also says that > manually inserting NSEC3 records could cause errors. So the > documentation makes clear that, on presigned zones, it is still the > authority. Indeed, PowerDNS IS generating the NSEC3 records (as I > showed), just not signing them. This is indeed the way this works. As the NXDOMAIN generation code works as it should, the design choice was made to 'just' generate NSECs on the fly. The signatures still have to be provided in the presigned zone. > How could I possibly presign records that PowerDNS generates? I > can't. So why does PowerDNS prohibit me creating NSEC3 records, > generate them for me, but not sign them? This is because pre-signed zones (from e.g. opendnssec, ldns-signzone or slaved from a master) contain the RRSIGs to the negative answers. > That is, at best, poor design. But I'm confident it's a bug or I've > configured something incorrectly. I agree this is and 'interesting' design choice made back in the day. In normal operation (using other tools to generate DNSSEC records or slaving the zone) this will never come up. I agree that the docs are not very verbose on how presigned zone work, we'll fix this in the coming weeks. -- Pieter Lexis PowerDNS.COM BV -- https://www.powerdns.com _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users