Re: [Pdns-users] New PowerDNS Authoritative Server snapshot with DNSSEC + Release Notes

Christof Meerwald Sat, 29 Jan 2011 01:30:54 -0800

On Sat, 29 Jan 2011 00:38:12 +0100, Christof Meerwald wrote:
> That's really excellent news - I have just migrated my 2 nameservers
> to SVN revision 1928 and signed one of the zones (btw, the setup is:
> master using bind backend for the zone data and gsqlite3 for the key
> data - slave is using gsqlite3 and AXFR from master). Let's see what
> happens...


Hmm, I still don't understand DNSSEC well enough to really make some
sense of it all, but there are certainly some strange things here:

The zone I am testing with is cmeerw.priv.at, master dns is
ns.cmeerw.net and slave is ns2.cmeerw.net (and trying to use nsec3).

Requesting the SOA record appears to work fine on both servers:

dig +dnssec -t SOA cmeerw.priv.at @ns.cmeerw.net
dig +dnssec -t SOA cmeerw.priv.at @ns2.cmeerw.net

But if I try to query for NS, I get some RRSIG records in the
additional section, but only from ns.cmeerw.net:

;; ADDITIONAL SECTION:
ns2.cmeerw.net.         28800   IN      A       80.190.133.60
ns2.cmeerw.net.         28800   IN      RRSIG   A 8 3 28800 20110210000000 
20110127000000 35080 cmeerw.priv.at. 
mKFWS0sPy8sFs4kWGgs0dvniiDAGzpgxPw/LgsCZ88r/k9Lc/+6pHK8k 
nkh9QzshTFkHKfIsM5NBr8ABRMPSligLc+t6Qb2B3P+Sfz3kVoW1baoS 
VTJAjkbMzTa5uD/HD6C0qX3KdMy4wxOq8YZAHislWkuNydCcM+/vGmBt fvo=
ns.cmeerw.net.          28800   IN      A       84.200.12.152
ns.cmeerw.net.          28800   IN      RRSIG   A 8 3 28800 20110210000000 
20110127000000 35080 cmeerw.priv.at. 
kfoB3v8GYzdKJ6afJR81msJ2AKGNQ/7HIsS50ISphbWqUK5UrLDe5kno 
s1L8JoshcXxUyxcMl2s4SaJX3h+ImFsact8Xunl8fl+AwSJJrbHd4Dsb 
M1OhxfpTaEHzvBgX/nR0Xam52xBm5ruqOL26mRZjjhbUqlSI21IbP9O6 UEY=

not from ns2.cmeerw.net:

;; ADDITIONAL SECTION:
ns.cmeerw.net.          28800   IN      A       84.200.12.152
ns2.cmeerw.net.         28800   IN      A       80.190.133.60

Note that both servers are authoritative for cmeerw.net, but the zone
is not signed.


And finally, if I try to query a non-existing record, the response
seems reasonable from ns.cmeerw.net:

;; AUTHORITY SECTION:
cmeerw.priv.at.         28800   IN      SOA     ns.cmeerw.net. 
domain.cmeerw.net. 2010080601 3600 900 1814400 3600
cmeerw.priv.at.         28800   IN      NSEC3   1 0 1 AB SO====== RRSIG
cmeerw.priv.at.         28800   IN      RRSIG   SOA 8 3 28800 20110210000000 
20110127000000 35080 cmeerw.priv.at. 
NQToBHA8ywWqjAtYM3ApLJw9fIbKe/mdUysBQ010d9FGCS0n8TQ2eEtO 
RjfAl4ZjNpv7oB+AukM3a2jwCIVQh8Tsb5PNOoNKL3UxaLtB/j/S7Dbg 
wAW6fAAhcharh665lHw07vECWbDvNDU5t4TmmHPrJ/dlph3xBOCrWw5n bpI=
cmeerw.priv.at.         28800   IN      RRSIG   NSEC3 8 3 28800 20110210000000 
20110127000000 35080 cmeerw.priv.at. 
kKbZ50zzk0drm29L7xbtjOo3hG4Xhj3NbwM290Lzckq2ipmb9/iDFnyO 
fKxWgJrsHYyigESCRAMUnYAqJvyfWw49Ke1dOu1uVMe6gtS9YDTws12z 
oIXj2H+Mo5UxvF02WYHwuSQsDeP8So4IctT466Xkv60LhS5G6y8lwvOf FK4=

but very strange from ns2.cmeerw.net:

;; AUTHORITY SECTION:
cmeerw.priv.at.         28800   IN      SOA     ns.cmeerw.net. 
domain.cmeerw.net. 2010080601 3600 900 1814400 3600
8b40po8goooqdt13tad1l7j5oht0puo3.cmeerw.priv.at. 7200 IN NSEC3 1 0 1 AB 
RRSIG=== NSEC3
cmeerw.priv.at.         28800   IN      RRSIG   SOA 8 3 28800 20110210000000 
20110127000000 35080 cmeerw.priv.at. 
NQToBHA8ywWqjAtYM3ApLJw9fIbKe/mdUysBQ010d9FGCS0n8TQ2eEtO 
RjfAl4ZjNpv7oB+AukM3a2jwCIVQh8Tsb5PNOoNKL3UxaLtB/j/S7Dbg 
wAW6fAAhcharh665lHw07vECWbDvNDU5t4TmmHPrJ/dlph3xBOCrWw5n bpI=
ca95b8nmpkjglrraoo4cu4m9sp7m2ma9.cmeerw.priv.at. 28800 IN NSEC3 1 0 1 AB 
8B40PO8GOOOQDT13TAD1L7J5OHT0PUO3 RRSIG NSEC3
8b40po8goooqdt13tad1l7j5oht0puo3.cmeerw.priv.at. 7200 IN RRSIG NSEC3 8 4 7200 
20110210000000 20110127000000 35080 cmeerw.priv.at. 
pFoJS2R2QOKLvCu8Lj3i3RWVSLf86pygLHB8WgsFVCMkcu3IaVbc1ZsL 
5+cPm2yYgGAwMUw1ZdNutm8lZwempxhyXn3q4uJ8CBaKx6EYCpCiIuxZ 
ATIYSYR3apEfLDkNIHLZzlLFSEsHvNsxTOM4ZGgFu2ZLCh0p7HSYNE+n l4Y=
ca95b8nmpkjglrraoo4cu4m9sp7m2ma9.cmeerw.priv.at. 28800 IN RRSIG NSEC3 8 4 28800 
20110210000000 20110127000000 35080 cmeerw.priv.at. 
H76INArO3yFe9iIKs8NCdVy6+L7pj4vcn+ESjuEAuTH1pShXt7ZxuLQL 
t/TiF89/NbtbbAG6RB3KARA2c/FtGag5tR6/sxVGpyF4Kx0K25BwCtmO 
LHErS7g3860YvXBzUwhwCvOeG9oQJ4Fyi5NsrzR5O2Jc68Axqzo9Gfsq /O4=


Any ideas on these observations? (feel free to query these nameservers
yourself)


Christof

-- 

http://cmeerw.org                              sip:cmeerw at cmeerw.org
mailto:cmeerw at cmeerw.org                   xmpp:cmeerw at cmeerw.org
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] New PowerDNS Authoritative Server snapshot with DNSSEC + Release Notes

Reply via email to