Hi Pieter,
On 05/20/2015 01:42 PM, Pieter Lexis wrote:
> On 05/20/2015 01:31 PM, Peter Thomassen wrote:
>> Yes, I saw that. However, I am using PowerDNS 3.3 on the slaves, so that
>> can't be it ...
>
> Is the zone on the slave set to pre-signed? If not, PowerDNS ignores
> in-zone RRSIGs and othe
Hi Peter,
On 05/20/2015 01:31 PM, Peter Thomassen wrote:
Yes, I saw that. However, I am using PowerDNS 3.3 on the slaves, so that
can't be it ...
Is the zone on the slave set to pre-signed? If not, PowerDNS ignores
in-zone RRSIGs and other DNSSEC related data. You can set this by
running `pd
On Wed, May 20, 2015 at 01:34:59PM +0200, Peter Thomassen wrote:
> Hi Leen,
>
> On 05/20/2015 12:32 PM, Leen Besselink wrote:
> >> # these failed:
> >> dig @ns1.desec.io +dnssec +norec desec.io DNSKEY
> >> dig @ns1.desec.io +dnssec +norec desec.io A
> >>
> >> Here is a working example with an RRSI
Hi Leen,
On 05/20/2015 12:32 PM, Leen Besselink wrote:
>> # these failed:
>> dig @ns1.desec.io +dnssec +norec desec.io DNSKEY
>> dig @ns1.desec.io +dnssec +norec desec.io A
>>
>> Here is a working example with an RRSIG for the DNSKEY query:
[...]
> As we can see, no RRSIG-record on your domain, my
Hi Leen,
Thank you for your quick reply!
On 05/20/2015 12:39 PM, Leen Besselink wrote:
> Just had a quick look at the docs. What version are you running ? Did you see
> this ?:
>
> "When using slaves that AXFR your signed zones, be sure that your slaves
> actually support serving DNSSEC. Some
Hi Peter,
Just had a quick look at the docs. What version are you running ? Did you see
this ?:
"When using slaves that AXFR your signed zones, be sure that your slaves
actually support serving DNSSEC. Some servers will gladly AXFR a signed zone,
but not perform DNSSEC processing on it. This g
On Wed, May 20, 2015 at 12:26:50PM +0200, Leen Besselink wrote:
> On Wed, May 20, 2015 at 12:16:02PM +0200, Peter Thomassen wrote:
> > Dear experts,
> >
> > I'm sorry to bug you again, but I am still stuck with deploying DNSSEC
> > for desec.io, and I'd like to ask for your help once more.
> >
>
On Wed, May 20, 2015 at 12:16:02PM +0200, Peter Thomassen wrote:
> Dear experts,
>
> I'm sorry to bug you again, but I am still stuck with deploying DNSSEC
> for desec.io, and I'd like to ask for your help once more.
>
> I have a hidden primary which does the signing in live mode (MySQL
> backend
Dear experts,
I'm sorry to bug you again, but I am still stuck with deploying DNSSEC
for desec.io, and I'd like to ask for your help once more.
I have a hidden primary which does the signing in live mode (MySQL
backend), and two public nameservers ns1.desec.io and ns2.desec.io which
receive the z