Nevermind with this. Found my answer in the documentation.
"Starting with the PowerDNS Authoritative Server 4.0.0, DNSSEC ‘washing’
of ALIAS records is supported on AXFR (not on live-signing). Set
outgoing-axfr-expand-alias to ‘yes’ and enable DNSSEC for the zone on the
master. PowerDNS will sign the A/AAAA records during the AXFR."
...which I read as not supporting signing of ALIAS responses on live
queries, but only on outgoing xfr's.
Putting this note on list to help others though I'd imagine it's been
discussed before.
-jake
On Mon, 30 May 2022, Jake via Pdns-users wrote:
Created a domain called "aliastest.ca".
Set the options recursive= and expand-alias= as prescribed.
All works...
Used "pdnsutil secure-zone aliastest.ca"...and it signed the zone...all
easier than I expected, so yay!
However...when I query for records under the zone...
# dig @localhost A www.aliastest.ca. +dnssec +short
4.4.4.4
A 13 3 3600 20220609000000 20220519000000 30598 aliastest.ca.
sIhw7mNWncSfshFAf5hXtblduAFy1bFyhR32mYedzj4br7WWG8angHMj
SnOqnU7jJzW1u6INtskuwMuNbR+4WQ==
I see NSEC records...great!
# dig @localhost A aliastest.ca. +dnssec +short
151.101.125.67
I don't see NSEC records...why?
I somewhat assumed that PowerDNS would be signing the recursive output from
the ALIAS target...is this some other option I don't know about?
select * from domains where name="aliastest.ca";
+---------+--------------+--------+------------+--------+-----------------+---------+
| id | name | master | last_check | type | notified_serial |
account |
+---------+--------------+--------+------------+--------+-----------------+---------+
| 4000003 | aliastest.ca | NULL | NULL | NATIVE | NULL |
NULL |
+---------+--------------+--------+------------+--------+-----------------+---------+
select * from records where domain_id="4000003";
+----------+-----------+--------------------+-------+-------------------------------------------------------------------------+------+------+-------------+----------+-----------+------+
| id | domain_id | name | type | content | ttl | prio |
change_date | disabled | ordername | auth |
+----------+-----------+--------------------+-------+-------------------------------------------------------------------------+------+------+-------------+----------+-----------+------+
| 48000014 | 4000003 | aliastest.ca | SOA | ns01.aliastest.ca
admin-dns.aliastest.ca 2022030101 1800 900 604800 300 | 3600 | 0 | NULL |
0 | | 1 |
| 48000015 | 4000003 | aliastest.ca | NS | ns01.aliastest.ca |
3600 | 0 | NULL | 0 | | 1 |
| 48000016 | 4000003 | aliastest.ca | NS | ns02.aliastest.ca |
3600 | 0 | NULL | 0 | | 1 |
| 48000017 | 4000003 | aliastest.ca | MX | mail1.aliastest.ca |
3600 | 10 | NULL | 0 | | 1 |
| 48000018 | 4000003 | aliastest.ca | MX | mail2.aliastest.ca |
3600 | 20 | NULL | 0 | | 1 |
| 48000019 | 4000003 | aliastest.ca | MX | mail3.aliastest.ca |
3600 | 30 | NULL | 0 | | 1 |
| 48000020 | 4000003 | ns01.aliastest.ca | A | 10.6.20.71 | 3600 |
0 | NULL | 0 | ns01 | 1 |
| 48000021 | 4000003 | ns02.aliastest.ca | A | 10.6.20.72 | 3600 |
0 | NULL | 0 | ns02 | 1 |
| 48000022 | 4000003 | mail1.aliastest.ca | A | 1.1.1.1 | 3600 | 0 |
NULL | 0 | mail1 | 1 |
| 48000023 | 4000003 | mail2.aliastest.ca | A | 2.2.2.2 | 3600 | 0 |
NULL | 0 | mail2 | 1 |
| 48000024 | 4000003 | mail3.aliastest.ca | A | 3.3.3.3 | 3600 | 0 |
NULL | 0 | mail3 | 1 |
| 48000025 | 4000003 | www.aliastest.ca | A | 4.4.4.4 | 3600 | 0 |
NULL | 0 | www | 1 |
| 48000026 | 4000003 | aliastest.ca | ALIAS | www.cnn.com | 3600 |
0 | NULL | 0 | | 1 |
+----------+-----------+--------------------+-------+-------------------------------------------------------------------------+------+------+-------------+----------+-----------+------+
Thanks all,
-jake
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
