Hi!
Thank you, that seems to work: importing the key and setting the zone to
'not presigned' leads to RRSIG records being produced on the slaves.
However, when I edit the zone on the master and trigger a transfer to
the slaves, the 'PRESIGNED' flag returns on the zone, which is
documented behaviour:
/PowerDNS sets this flag automatically upon incoming zone transfers
(AXFR) if it detects DNSSEC records in the zone. /
So, I guess I have to either tell the slave to discard the incoming
DNSSEC records or at least not set the PRESIGNED flag, or tell the
master not to send them in the AXFR.
Is there any way to do either?
Best regards,
Martijn.
Op 27-5-2020 om 12:18 schreef Edward Dore:
> Hi Martijn,
>
> Native zones with replication might be the easiest from a management
> point of view (remember to encrypt the replication data so that you
> don’t expose your keys), but online signing should work fine with
> slave zones.
>
> Use "pdnsutil export-zone-key” to export the private key on the
> master, securely copy it to the slave servers somehow and then import
> it with "pdnsutil import-zone-key”.
>
> You’re probably going to need to use "pdnsutil unset-presigned” as
> well as the zones are pre-signed at the moment.
>
> Make sure you set any NSEC/NSEC3 parameters etc. the same on the slave
> servers - basically make the output of "pdnsutil show-zone” match
> between the master and slave.
>
> Edward Dore
> Freethought Internet
>
>> On 27 May 2020, at 10:39, Martijn Grendelman via Pdns-users
>> <pdns-users@mailman.powerdns.com
>> <mailto:pdns-users@mailman.powerdns.com>> wrote:
>>
>> Hi,
>>
>> We have a simple setup with a PowerDNS master and two PowerDNS slaves
>> (AXFR). Our zones are generally signed with DNSSEC and everything
>> has been working fine. Recently, I started experimenting with LUA
>> records, and for those, we're seeing problems (SERVFAIL) when we
>> query them through 3rd party resolvers.
>>
>> At first, I seem to have missed this tiny paragraph in the
>> documentation for LUA records:
>>
>> "LUA records can be DNSSEC signed, but because they are dynamic, it
>> is not possible to combine pre-signed DNSSEC zone and LUA records. In
>> other words, the signing key must be available on the server creating
>> answers based on LUA records."
>>
>> It makes sense, and indeed, when I query the slaves for the LUA
>> records, I don't get any RRSIGs, so I suspect that this must be the
>> problem.
>>
>> My question is: /how/ do I make the signing key availabe on the
>> slaves? Does this imply that I have to switch to a form of native
>> replication, or is there a way to make this work with AXFR? I spent a
>> few hours Googling for this, but I haven't found any clues.
>>
>> Met vriendelijke groet,
>> Best regards,
>>
>> Martijn Grendelman
>>
>>
>>
>> _______________________________________________
>> Pdns-users mailing list
>> Pdns-users@mailman.powerdns.com <mailto:Pdns-users@mailman.powerdns.com>
>> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>
--
Met vriendelijke groet,
Kind regards,
Martijn <mailto:martijn.grendel...@isaac.nl>
Martijn Grendelman Infrastructure Architect
T: +31 (0)40 264 94 44
ISAAC <https://www.isaac.nl>
ISAAC Marconilaan 16 5621 AA Eindhoven The Netherlands
T: +31 (0)40 290 89 79 www.isaac.nl <https://www.isaac.nl>
#1 Fullservice Digital Agency 2020 2019 2018 <https://www.isaac.nl/awards>
Dit e-mail bericht is alleen bestemd voor de geadresseerde(n). Indien
dit bericht niet voor u is bedoeld wordt u verzocht de afzender hiervan
op de hoogte te stellen door het bericht te retourneren en de inhoud
niet te gebruiken. Aan dit bericht kunnen geen rechten worden ontleend.
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
