[Pdns-users] Question about DNSSEC + ALIAS (cname at the apex hack)

Mon, 30 May 2022 13:10:45 -0700 

Created a domain called "aliastest.ca".

Set the options recursive= and expand-alias= as prescribed.

All works...
Used "pdnsutil secure-zone aliastest.ca"...and it signed the zone...all easier than I expected, so yay! 

However...when I query for records under the zone...

# dig @localhost A www.aliastest.ca. +dnssec +short
4.4.4.4
A 13 3 3600 20220609000000 20220519000000 30598 aliastest.ca. sIhw7mNWncSfshFAf5hXtblduAFy1bFyhR32mYedzj4br7WWG8angHMj SnOqnU7jJzW1u6INtskuwMuNbR+4WQ== 

I see NSEC records...great!

# dig @localhost A aliastest.ca. +dnssec +short
151.101.125.67

I don't see NSEC records...why?
I somewhat assumed that PowerDNS would be signing the recursive output from the ALIAS target...is this some other option I don't know about? 


select * from domains where name="aliastest.ca";

+---------+--------------+--------+------------+--------+-----------------+---------+
| id | name | master | last_check | type | notified_serial | account | 
+---------+--------------+--------+------------+--------+-----------------+---------+
| 4000003 | aliastest.ca | NULL | NULL | NATIVE | NULL | NULL | 
+---------+--------------+--------+------------+--------+-----------------+---------+


select * from records where domain_id="4000003";

+----------+-----------+--------------------+-------+-------------------------------------------------------------------------+------+------+-------------+----------+-----------+------+
| id | domain_id | name | type | content | ttl | prio | change_date | disabled | ordername | auth | 
+----------+-----------+--------------------+-------+-------------------------------------------------------------------------+------+------+-------------+----------+-----------+------+
| 48000014 | 4000003 | aliastest.ca | SOA | ns01.aliastest.ca admin-dns.aliastest.ca 2022030101 1800 900 604800 300 | 3600 | 0 | NULL | 0 | | 1 | | 48000015 | 4000003 | aliastest.ca | NS | ns01.aliastest.ca | 3600 | 0 | NULL | 0 | | 1 | | 48000016 | 4000003 | aliastest.ca | NS | ns02.aliastest.ca | 3600 | 0 | NULL | 0 | | 1 | | 48000017 | 4000003 | aliastest.ca | MX | mail1.aliastest.ca | 3600 | 10 | NULL | 0 | | 1 | | 48000018 | 4000003 | aliastest.ca | MX | mail2.aliastest.ca | 3600 | 20 | NULL | 0 | | 1 | | 48000019 | 4000003 | aliastest.ca | MX | mail3.aliastest.ca | 3600 | 30 | NULL | 0 | | 1 | | 48000020 | 4000003 | ns01.aliastest.ca | A | 10.6.20.71 | 3600 | 0 | NULL | 0 | ns01 | 1 | | 48000021 | 4000003 | ns02.aliastest.ca | A | 10.6.20.72 | 3600 | 0 | NULL | 0 | ns02 | 1 | | 48000022 | 4000003 | mail1.aliastest.ca | A | 1.1.1.1 | 3600 | 0 | NULL | 0 | mail1 | 1 | | 48000023 | 4000003 | mail2.aliastest.ca | A | 2.2.2.2 | 3600 | 0 | NULL | 0 | mail2 | 1 | | 48000024 | 4000003 | mail3.aliastest.ca | A | 3.3.3.3 | 3600 | 0 | NULL | 0 | mail3 | 1 | | 48000025 | 4000003 | www.aliastest.ca | A | 4.4.4.4 | 3600 | 0 | NULL | 0 | www | 1 | | 48000026 | 4000003 | aliastest.ca | ALIAS | www.cnn.com | 3600 | 0 | NULL | 0 | | 1 | 
+----------+-----------+--------------------+-------+-------------------------------------------------------------------------+------+------+-------------+----------+-----------+------+

Thanks all,
-jake
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Reply via email to