Open mimuret opened 4 years ago
Can you please show us what is happening?
I use pdns for hidden master server. I set pre-signed zone.
I signed zone using dnssec-signzone. it not create glue name NSEC3 and RRSIG.
I look like that pdns creates NSEC3 glue recode.
This zone fail verify denial of existence.
AXFR LOG https://gist.github.com/mimuret/83105fa5b49349b9580063b5715a68a0
I think presign zone must run rectify function (tcpreceiver.cc).
Indeed, your log shows an NSEC3 chain including ns.sub
and sub
, and shows that there is no RRSIG for the ns.sub
one.
How are you loading the zone into PowerDNS? What backend?
Setting presigned AND running dnssec-signzone may lead to unexpected results. You cannot use them together.
Indeed, your log shows an NSEC3 chain including
ns.sub
andsub
, and shows that there is no RRSIG for thens.sub
one.Yes, because glue record MUST NOT add NSEC/NSEC3 recorde.
How are you loading the zone into PowerDNS? What backend? I use gmysql backend loading by custom app using SQL.
It is reproducible using zone2sql. https://github.com/mimuret/pdns-nsec3
Thank you for the reproduction, it will be helpful.
I spent some time discussing this, and the honest answer is: zone2sql
and pdnsutil load-zone
are not currently suitable for presigned zones. The docs about this are wrong.
If you want to get this working now, we suggest slaving the zone from BIND or NSD on localhost. We will think about how we can improve this situation on the PowerDNS side.
I've updated the ticket title to reflect this.
Short description
Authoritative creates NSEC3 Record for glue Record using pre-sign zone.
https://tools.ietf.org/html/rfc4034#section-4.1.1
Environment
Steps to reproduce