check-zone warnings on DNSSEC enabled zone AXFR to pdns with bind-backend

[rmuehl]

• Program: Authoritative
• Issue type: Bug report

Short description

When I do a zonetransfer for an DNSSEC enabled domain and use it on a pdns with bind-backend, I get warnings from pdnsutil check-zone:

[Warning] Parsed and original record content are not equal: example.com IN RRSIG 'SOA 13 2 3600 20190404000000 20190314000000 36346 example.com. 5SUfimgslRY4TxDqFnFt8FgWHE+s9WYgKZxQlmXfkMSv2JT+FhBK1fI2pyCdm3H7qhNL1qWOvkZkbOHbP3kRrA==' (Content parsed as 'SOA 13 2 3600 20190404000000 20190314000000 36346 example.com 5SUfimgslRY4TxDqFnFt8FgWHE+s9WYgKZxQlmXfkMSv2JT+FhBK1fI2pyCdm3H7qhNL1qWOvkZkbOHbP3kRrA==')

because of the trailing dot notation.

Environment

• Operating system: RHEL7
• Software version: 4.1.7
• Software source: Name : pdns Version : 4.1.7 Release : 1pdns.el7 Architecture: x86_64 Install Date: Mi 20 Mär 2019 14:21:16 CET Group : System Environment/Daemons Size : 9378948 License : GPLv2 Signature : RSA/SHA256, Mo 18 Mär 2019 14:45:37 CET, Key ID 1b0c6205fd380fbb Source RPM : pdns-4.1.7-1pdns.el7.src.rpm Build Date : Mo 18 Mär 2019 14:06:48 CET Build Host : a884a35d682c

Steps to reproduce

Expected behaviour

Actual behaviour

Other information

We're running a hidden master powerdns server with postgres backend. To transfer the zones to the front-nameservers running powerdns with bind-backend, we're doing a zonetransfer on the hidden master: dig +nosplit +onesoa @127.0.0.1 example.com AXFR > file (NSEC entries are cut off afterwards) The file gets rsynched to the nameservers (including a named.conf) and is loaded with pdns_control rediscover. The zone is working as expected: dig @127.0.0.1 test.example.com +dnssec

A 13 3 3600 20190404000000 20190314000000 36346 example.com. GLWhegqOrB8WdG+VmwZTelkVvxMg9tAFXvt91mi0D6FRcx/CYDE6/CWU 258BzrNyrFBguMJb/GWDw9Bvn0F66w== 10.0.0.1

But when checking the zone, it generates warnings foreach entry pdnsutil check-zone example.com

[Warning] Parsed and original record content are not equal: example.com IN RRSIG 'SOA 13 2 3600 20190404000000 20190314000000 36346 example.com. 5SUfimgslRY4TxDqFnFt8FgWHE+s9WYgKZxQlmXfkMSv2JT+FhBK1fI2pyCdm3H7qhNL1qWOvkZkbOHbP3kRrA==' (Content parsed as 'SOA 13 2 3600 20190404000000 20190314000000 36346 example.com 5SUfimgslRY4TxDqFnFt8FgWHE+s9WYgKZxQlmXfkMSv2JT+FhBK1fI2pyCdm3H7qhNL1qWOvkZkbOHbP3kRrA==') [Warning] Parsed and original record content are not equal: example.com IN RRSIG 'DNSKEY 13 2 3600 20190404000000 20190314000000 36346 example.com. /oRZl1zQex4aKMnLeBRdqBEIvD++3mP7sPRglOEhNFP4o4y5/PtUoQW/3irxvTrRP0ZljD7GGRaBtO+qv6eAPw==' (Content parsed as 'DNSKEY 13 2 3600 20190404000000 20190314000000 36346 example.com /oRZl1zQex4aKMnLeBRdqBEIvD++3mP7sPRglOEhNFP4o4y5/PtUoQW/3irxvTrRP0ZljD7GGRaBtO+qv6eAPw==') [Warning] Parsed and original record content are not equal: example.com IN RRSIG 'NS 13 2 3600 20190404000000 20190314000000 36346 example.com. 6gBQkUtg8q00ZHKrkO5GEWTtMNpgtaV9Jyoxf+vgiCbQ1p6U5nkYdp3oKycMvM854Qy8uATk6J5engvwDAza9g==' (Content parsed as 'NS 13 2 3600 20190404000000 20190314000000 36346 example.com 6gBQkUtg8q00ZHKrkO5GEWTtMNpgtaV9Jyoxf+vgiCbQ1p6U5nkYdp3oKycMvM854Qy8uATk6J5engvwDAza9g==') [Warning] Parsed and original record content are not equal: example.com IN RRSIG 'NSEC 13 2 3600 20190404000000 20190314000000 36346 example.com. qRVNjNsqwkNZPmGqnRvsZUS8VNbOu0E2FJB8/SunGUdJ2hmHYgY4QlwgTTDB014DP5A6A3ZIe+xVRU/UrI0oSA==' (Content parsed as 'NSEC 13 2 3600 20190404000000 20190314000000 36346 example.com qRVNjNsqwkNZPmGqnRvsZUS8VNbOu0E2FJB8/SunGUdJ2hmHYgY4QlwgTTDB014DP5A6A3ZIe+xVRU/UrI0oSA==') [Warning] Parsed and original record content are not equal: test.example.com IN RRSIG 'NSEC 13 3 3600 20190404000000 20190314000000 36346 example.com. hsgd35sa/oweLBf1C2Qip6A16mdUAyxhlst0nEcYngublse+mmwe6/TPdF574YvZ8An5mUaMyQT5SPW9uXosiA==' (Content parsed as 'NSEC 13 3 3600 20190404000000 20190314000000 36346 example.com hsgd35sa/oweLBf1C2Qip6A16mdUAyxhlst0nEcYngublse+mmwe6/TPdF574YvZ8An5mUaMyQT5SPW9uXosiA==') [Warning] Parsed and original record content are not equal: test.example.com IN RRSIG 'A 13 3 3600 20190404000000 20190314000000 36346 example.com. GLWhegqOrB8WdG+VmwZTelkVvxMg9tAFXvt91mi0D6FRcx/CYDE6/CWU258BzrNyrFBguMJb/GWDw9Bvn0F66w==' (Content parsed as 'A 13 3 3600 20190404000000 20190314000000 36346 example.com GLWhegqOrB8WdG+VmwZTelkVvxMg9tAFXvt91mi0D6FRcx/CYDE6/CWU258BzrNyrFBguMJb/GWDw9Bvn0F66w==') Checked 11 records of 'example.com', 0 errors, 6 warnings.

Tho the zone is working well, the warnings are bad. Especically when having hundrets of DNSSEC enabled domains. And it is odd to seperate the good from the bad warnings on the monitoring systems.

I don't know if it would be possible to change this behavier without breaking the DNS Signatures.

There might be a other/better way to transfer the domains from the hidden master to the front servers I'm not aware of. But Master/Slave is not an option, cuz every fornt-nameserver needs to be authoritative master, and hidden master needs to be invisible and unreachable.

Or maybe I'm doing something wrong.... every hint would be great.

No problems with NOT DNSSEC-enabled domains.

[gertvdijk]

@rmuehl Any reason to do a custom dig command to do an AXFR? I'd suggest to run a 'hidden slave' next to the hidden master with the bind-backend which can receive the zones presigned if you want it to, then - if you really need an rsync-way to sync - you can rsync from the files on that slave (yes the files are updated atomically).

[Habbie]

I have moved this to the 'helpneeded' ("we think fixing this makes sense but will not make it a priority") milestone because it is a niche use case.