Oke thanxs. Then i will remove the dnssec from that domains 😊 Met vriendelijke groet, Steffan Noord
-----Oorspronkelijk bericht----- Van: Pdns-users <pdns-users-boun...@mailman.powerdns.com> Namens Pieter Lexis via Pdns-users Verzonden: dinsdag 9 maart 2021 15:32 Aan: pdns-users@mailman.powerdns.com Onderwerp: Re: [Pdns-users] DNSSEC UDP problems Hi, On 3/9/21 3:01 PM, Steffan via Pdns-users wrote: >> Are you actually using AXFR to transfer the zone to the nameservers? >> Or are > you using database replication? Because ALIAS live-signing is not > implemented, only signing on AXFR-out is implemented. This is in the > documentation I sent you earlier and there's an open >ticket[1] (point > 6) as well. > > Im using mysql backend on both dns servers Both are set up as masters, > and mysql is replicated from the master DB server So the answer to my question was "No, the public nameservers serve the expanded ALIASes directly". Which is exactly the situation in which the expanded ALIAS records are not signed, leading to the issues you have. The only way to get a signed, expanded ALIAS response is to AXFR from a hidden primary to public secondaries. PowerDNS will then sign the expanded ALIAS data when it serves out the AXFR. I hope this clears up the confusion somewhat. >> 1 - https://github.com/PowerDNS/pdns/issues/3838 > > -im sorry for the beginners question.. for so far i know it has > allways works Live-signing expanded ALIAS records never worked, in any version of PowerDNS. This is on our wish-list, but no work has been done there, as all known ALIAS installations use the AXFR method. Cheers, Pieter -- Pieter Lexis PowerDNS.COM BV -- https://www.powerdns.com _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
