Re: [Pdns-users] Setting up intentionally invalid DNSSEC record in auto-secure environment

2016-01-09 Thread Pieter Lexis
Hi Nick, On Sat, 9 Jan 2016 14:48:12 -0600 Nicholas Williams wrote: > But the documentation says the opposite. It says NOT to create > NSEC(3) records (in fact, zone2sql intentionally ignores them, even > for presigned zones), because (again, it says) PowerDNS

Re: [Pdns-users] Setting up intentionally invalid DNSSEC record in auto-secure environment

2016-01-09 Thread Nick Williams
So, I think I’ve almost got this, but I’m having a problem with the pre-signed zone’s NSEC3 RRSIGs. Here’s what I did: I already have a live-signed zone (my-zone.com) that works perfectly. A-records come with automatic RRSIGs, SOA record comes with an RRSIG, NS records come with an RRSIG, etc.

[Pdns-users] Setting up intentionally invalid DNSSEC record in auto-secure environment

2016-01-06 Thread Nick Williams
Hi all, We're running a PowerDNS 3.4.6 installation with the MySQL backend, and we’re using pdnsutil secure-zone/set-nsec3/rectify-zone to automatically secure all of our domains (the least-effort method, instead of manually signing everything). It works great. Thanks for the excellent

Re: [Pdns-users] Setting up intentionally invalid DNSSEC record in auto-secure environment

2016-01-06 Thread Nicholas Williams
ak the reply signature. > > --- > Aki Tuomi > Alkuperäinen viesti > Lähettäjä: Nick Williams <nicho...@nicholaswilliams.net> > Päivämäärä: 6.1.2016 19.54 (GMT+02:00) > Saaja: pdns-users Users <pdns-users@mailman.powerdns.com> > Aihe: [Pdns-users

Re: [Pdns-users] Setting up intentionally invalid DNSSEC record in auto-secure environment

2016-01-06 Thread bert hubert
nicho...@nicholaswilliams.net> > > Päivämäärä: 6.1.2016 19.54 (GMT+02:00) > > Saaja: pdns-users Users <pdns-users@mailman.powerdns.com> > > Aihe: [Pdns-users] Setting up intentionally invalid DNSSEC record in > > auto-secure environment > > > > Hi all, > >

Re: [Pdns-users] Setting up intentionally invalid DNSSEC record in auto-secure environment

2016-01-06 Thread Michael Loftis
(inline) On Wed, Jan 6, 2016 at 11:42 AM, Nicholas Williams wrote: > I'll look into that other script. Thanks, Bert. > >> How about a creating a separate sub-zone with a broken presigned DNSSEC > >> You can set presigned for just that single zone using the

Re: [Pdns-users] Setting up intentionally invalid DNSSEC record in auto-secure environment

2016-01-06 Thread leen
On 2016-01-06 20:42, Nicholas Williams wrote: I'll look into that other script. Thanks, Bert.  How about a creating a separate sub-zone with a broken presigned DNSSEC  You can set presigned for just that single zone using the PRESIGNED domain metadata[1] int your database. I really like