Hi Pieter, On 09/09/2016 07:00 AM, Pieter Lexis wrote: >> I set up a the recursor (4.0.3) with a separate zone file that I >> declared authoritative using the auth-zones directive. The zone file >> contains DNSSEC signatures. >> >> However, when querying the recursor using dig +dnssec, only the >> requested record types (e.g. A) are returned, but not the RRSIG records >> (although they can be requested manually). >> >> Is this intended? >> >> I am aware that there would be complications in narrow NSEC3 mode when >> non-existent records are queried, but with regular NSEC3, everything >> needed can be extracted from the zone file itself (it has an NSEC3PARAM >> record). > > DNSSEC signed zones in the recursor are not supported. We are not even sure > that this will be supported in the future. As there is no way (apart from > reloading the zones) to e.g. update the signatures. We also don't want to > turn the recursor into a 'full-fledged' authoritative server. Can you share > (in a GitHub issue) what the masterplan behind this kind of configuration is?
I just noticed this when playing around with the auth-zones feature of the recursor. This doesn't have a solid justified use case, so I don't think it's worth a GitHub issue. However, the current state of the documentation suggests that this is supported (dnssec=process-no-validate: "will provide DNSSEC related RRsets (NSEC, RRSIG) to clients that ask for them", together with auth-zones: "Zones read from these files (in BIND format) are served authoritatively"). I will submit a pull request to improve the documentation. Best, Peter
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Pdns-users mailing list [email protected] https://mailman.powerdns.com/mailman/listinfo/pdns-users
