If someone will have the same issue, the answer is here:
https://doc.powerdns.com/authoritative/backends/generic-sql.html#generic-sql-handling-dnssec-signed-zones
"In addition, PowerDNS fully supports empty non-terminals. If you have a
zone example.com, and a host a.b.c.example.com in it, rectify-zone (and
the AXFR client code) will insert b.c.example.com and c.example.com in
the records table with type NULL (SQL NULL, not ‘NULL’). Having these
entries provides several benefits. We no longer reply NXDOMAIN for these
shorter names (this was an RFC violation but not one that caused
trouble). But more importantly, to do NSEC3 correctly, we need to be
able to prove existence of these shorter names. The type=NULL records
entry gives us a place to store the NSEC3 hash of these names."
Thanks everyone.
On 20.11.2017 09:00, Mislav | SysAdmin wrote:
Anyone has some other ideas how to troubleshoot this, or can confirm
that this is normal behavior in new 4.1.0.?
On 16.11.2017 15:36, Mislav | SysAdmin wrote:
Is this something new by default in 4.1.0? We don't have DNSSEC
enabled in old environment, if this is DNSSEC related.
On 16.11.2017 15:25, David wrote:
On 2017-11-16 2:07 AM, Mislav | SysAdmin wrote:
Hi. I've the following setup:
1) pdns server version 3.1 - with mysql backend
2) pdns server version 4.1.0 - with mysql backend
What I'm trying to do is:
- replace version 3.1 with 4.1.0 and I've installed clean version of
4.1.0 to a new server and I'm trying to this this now:
https://doc.powerdns.com/authoritative/migration.html#using-axfr-to-a-slave-capable-backend
Although this is working fine, my zones are transfered, AXFR is
working,
I've a small problem/question related to that.
Every time I add some domain, I always get 2-3 empty records, here is
the zone example:
1) https://pastebin.com/LpnzKjwW - this is original master zone
from 3.1.
2) https://pastebin.com/5uV2Lk5N - slave zone added on 4.1.0 and
transfered using AXFR
These appear to be empty non-terminals, to provide non-NXDOMAIN for
b.example.com if a.b.example.com exists.
If you added a record like a.b.c.d.e.f.g.h.i.j.k.example.com you
would see a large amount of these.
I believe they are also required for doing DNSSEC properly too (NSEC
specifically?)
You will see that first zone has 23 records and when transferred,
it has
25 records. Any idea why is there always something in
the name, but type and content are always empty? It doesn't matter if
master is pdns server 3.1, I've also tested it with one
bind/named master server and in that scenario result was the same.
Always 2-3 empty records in the zone. How to debug
this in order to find out why are those getting created in the first
place? Or how to fix this?
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
