Habbie
commented
4 years ago Can you please show us what is happening?
Open mimuret opened 4 years ago
Habbie
commented
4 years ago Can you please show us what is happening?
mimuret
commented
4 years ago I use pdns for hidden master server. I set pre-signed zone.
I signed zone using dnssec-signzone. it not create glue name NSEC3 and RRSIG.
I look like that pdns creates NSEC3 glue recode.
This zone fail verify denial of existence.
AXFR LOG https://gist.github.com/mimuret/83105fa5b49349b9580063b5715a68a0
I think presign zone must run rectify function (tcpreceiver.cc).
Habbie
commented
4 years ago Indeed, your log shows an NSEC3 chain including ns.sub and sub, and shows that there is no RRSIG for the ns.sub one.
How are you loading the zone into PowerDNS? What backend?
mind04
commented
4 years ago Setting presigned AND running dnssec-signzone may lead to unexpected results. You cannot use them together.
mimuret
commented
4 years ago Indeed, your log shows an NSEC3 chain including
ns.subandsub, and shows that there is no RRSIG for thens.subone.Yes, because glue record MUST NOT add NSEC/NSEC3 recorde.
How are you loading the zone into PowerDNS? What backend? I use gmysql backend loading by custom app using SQL.
It is reproducible using zone2sql. https://github.com/mimuret/pdns-nsec3
Habbie
commented
4 years ago Thank you for the reproduction, it will be helpful.
I spent some time discussing this, and the honest answer is: zone2sql and pdnsutil load-zone are not currently suitable for presigned zones. The docs about this are wrong.
If you want to get this working now, we suggest slaving the zone from BIND or NSD on localhost. We will think about how we can improve this situation on the PowerDNS side.
Habbie
commented
4 years ago I've updated the ticket title to reflect this.
Short description
Authoritative creates NSEC3 Record for glue Record using pre-sign zone.
https://tools.ietf.org/html/rfc4034#section-4.1.1
Environment
Steps to reproduce