Re: [Pdns-users] DNSsec DS trouble in single server TLD setup
Niek, > I can confirm that build 2181 fixes this problem completely. For the record is is fully fixed in r2183 ;-) Bert just completed that. -JP ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] DNSsec DS trouble in single server TLD setup
Hi JP, Overhere it looks okay: ; <<>> DiG 9.6.1-P2 <<>> +nodnssec powerdnssec.org ds ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16718 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;powerdnssec.org. IN DS ;; ANSWER SECTION: powerdnssec.org. 86332 IN DS 2224 5 1 CD79B0D2639AAA5AE5ABDC80003836E5E5E0C506 On Wed, Apr 27, 2011 at 04:58:43PM +0200, Jan-Piet Mens wrote: > Bert, > > > Build 2181 is up which fixes your initial DS bug. Can you check if things > > are ok now? > > r2181 fixes this for me, but I note that DS records are served only when > querying with +dnssec. Omitting the switch gives NOERROR and NODATA. > (This behaviour differs from that of BIND and NSD.) > > For example: > > dig +nodnssec powerdnssec.org ds > > Regards, > > -JP > ___ > Pdns-users mailing list > Pdns-users@mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users > Grtz, -- Niek ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] DNSsec DS trouble in single server TLD setup
Great job Bert! I can confirm that build 2181 fixes this problem completely. And it also fixes "[Pdns-users] Delegating a subdomain with DNSsec fails if child and parent zone are on same server" On Wed, Apr 27, 2011 at 10:59:00AM +0200, bert hubert wrote: > On Thu, Apr 21, 2011 at 11:13:00AM +0200, Niek wrote: > > Couldn't get it to work with the TLD and the child zone on the same server. > > I was wondering whether this could be a bug in PowerDNS Server or whether > > I'm > > maybe trying to do something the wrong way. (And I was wondering if it also > > affects subdomains on the same server as the parent domain, I didn't > > investigate) > > Thank you for your investigation! > > Build 2181 is up which fixes your initial DS bug. Can you check if things > are ok now? > > Bert > Grtz, -- Niek ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] DNSsec DS trouble in single server TLD setup
Bert, > Build 2181 is up which fixes your initial DS bug. Can you check if things > are ok now? r2181 fixes this for me, but I note that DS records are served only when querying with +dnssec. Omitting the switch gives NOERROR and NODATA. (This behaviour differs from that of BIND and NSD.) For example: dig +nodnssec powerdnssec.org ds Regards, -JP ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] DNSsec DS trouble in single server TLD setup
On Thu, Apr 21, 2011 at 11:13:00AM +0200, Niek wrote: > Couldn't get it to work with the TLD and the child zone on the same server. > I was wondering whether this could be a bug in PowerDNS Server or whether I'm > maybe trying to do something the wrong way. (And I was wondering if it also > affects subdomains on the same server as the parent domain, I didn't > investigate) Thank you for your investigation! Build 2181 is up which fixes your initial DS bug. Can you check if things are ok now? Bert ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] DNSsec DS trouble in single server TLD setup
Hi folks, Has anybody tried to create their own DNSsec enabled TLD with PowerDNS Server? I did, but I only succeeded when using a different server for the TLD and for the child zones under the TLD. Couldn't get it to work with the TLD and the child zone on the same server. I was wondering whether this could be a bug in PowerDNS Server or whether I'm maybe trying to do something the wrong way. (And I was wondering if it also affects subdomains on the same server as the parent domain, I didn't investigate) (all versions: pdns-3.0-rc2.20110419.2176, all tests performed after rectify-zone, check-zone and pdns restart) The dual-server setup works fine (with one glitch I'll mention later): Server_A (The TLD server): === mysql> select * from domains; +-+---++...++-+-+ | id | name | master |...| type | notified_serial | account | +-+---++...++-+-+ | 666 | rulez | NULL |...| NATIVE |NULL | NULL| | 668 | dnssec.rulez | NULL |...| NATIVE |NULL | NULL| +-+---++...++-+-+ mysql> select * from records where type='DS'\G *** 1. row *** id: 62 domain_id: 666 name: dnssec.rulez type: DS content: 28024 8 2 e56da3afaf08e286..086b35e338de29e96 ttl: 600 prio: 0 change_date: NULL ordername: hqiffkq5vs8fu9v6tb5sjlb2pqg8vt70 auth: 1 === Server_B (The child zone server): === mysql> select * from domains; ++---++...++-+-+ | id | name | master |...| type | notified_serial | account | ++---++...++-+-+ | 2 | dnssec.rulez | NULL |...| NATIVE |NULL | NULL| ++---++...++-+-+ mysql> select * from records where type='SOA'\G *** 1. row *** id: 5 domain_id: 2 name: dnssec.rulez type: SOA content: ns.dnssec.rulez. blah.internl.net. 2011041100 7200 3600 604800 3600 ttl: 600 prio: 0 change_date: NULL ordername: hqiffkq5vs8fu9v6tb5sjlb2pqg8vt70 auth: 1 === dig +multiline +dnssec +cd -t DS dnssec.rulez @Server_A ;; ANSWER SECTION: dnssec.rulez. 600 IN RRSIG DS 8 2 600 2011042800 ( 2011041400 32475 rulez. TAzuzUcllHszSsuHNacWUb8vPt4BgKOSJr70rmrZksQl qt+6Fcth+F3b+DICFj+duqUxApJDeSj0cwHkm6bbfkbx ToJayi6aDl82eSujkWreX7cK9dXxk7ncEtcAGAtQgCwa Tn9gU5J060jym5FQO5zczON6qfAi5btoOp+1eEc= ) dnssec.rulez. 600 IN DS 28024 8 2 ( E56DA3AFAF08E2863D50E07FC7CFDB609B7DFDC8FB81 086B33555E338DE29E96 ) You see, the server answers correctly and the record is signed by the right key (and I verified it DNSsec-validates fine, very happy with that). The glitch: 'rectify-zone rulez', in this dual server setup, sets DS records to auth=0, which is incorrect according to the documentation: "Do note that the DS record for a secure delegation should be authoritative!". Mind you: 'check-zone rulez' detects this problem, and it only happens if the child zone is not present on the same server, if it is present, auth stays 1. Then the single server setup, that doesn't work for me: Server_A (TLD server & zone server): == mysql> select * from domains; ++---++...++-+-+ | id | name | master |...| type | notified_serial | account | ++---++...++-+-+ | 7 | sucks | NULL |...| NATIVE |NULL | NULL| | 8 | rsi.sucks | NULL |...| NATIVE |NULL | NULL| ++---++...++-+-+ mysql> select * from records where type='DS'\G *** 1. row *** id: 32 domain_id: 7 name: rsi.sucks type: DS content: 52019 8 2 5a078b6143552..e1082eb1ee9e3daa7bb ttl: 600 prio: 0 change_date: NULL ordername: 6pmeqp0egqdhf7ikq7iasamtjd270m1c auth: 1 mysql> select * from records where type='SOA'\G ***