On Thu, Apr 18, 2019 at 10:39 AM Jackson Yap <jack...@apc.sg> wrote: > Yes, I’m trying to do AXFR of DNSSEC zones from source powerdns (cpanel) > to another powerdns server. > > > > 1. Do you mean I just need it secured at source server that’s all? > 2. I’m using notify to send the DNSSEC zones to the destination > powerdns server. Is there still need to set presigned on the destination > powerdns server? > > It should all be automatic, really, as per [1]. Does your backend support storing metadata? For example, if you use the BIND backend on the destination server, this requires you to set a SQLite DNSSEC database as per [2]. (I suggested to run `pdnsutil set-presigned`, because it has shown me helpful errors when I forgot to correctly configure the backend and also I am not sure if it autodetects DNSSEC on zones that were not secured before.)
> > 1. Cpanel mentioned there seems to be narrow mode on powerdns at their > end which prevent the zone transfer of DNSSEC. I am trying to confirm that > with them. > > NSEC3 narrow mode is stopping you from AXFR'ing the domain, indeed. It cannot transfer a zone presigned in that mode by design, because it requires active interaction with the secret key to provide hashed denial of existence, as per [3]. Ask your operator of the primary site to use inclusive NSEC3 mode instead. [1]: https://doc.powerdns.com/authoritative/domainmetadata.html#presigned [2]: https://doc.powerdns.com/authoritative/backends/bind.html#bind-dnssec-db [3]: https://doc.powerdns.com/authoritative/dnssec/modes-of-operation.html#hashed-denial-of-existence HTH
_______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
