Alias does not support dnssec. See issues on github. Klaus
Gesendet über BlackBerry Work (www.blackberry.com) ________________________________ Von: Pdns-users <pdns-users-boun...@mailman.powerdns.com> im Namen von Jake via Pdns-users <pdns-users@mailman.powerdns.com> Gesendet: 30.05.2022 22:10 An: pdns-users@mailman.powerdns.com Betreff: [Pdns-users] Question about DNSSEC + ALIAS (cname at the apex hack) Created a domain called "aliastest.ca". Set the options recursive= and expand-alias= as prescribed. All works... Used "pdnsutil secure-zone aliastest.ca"...and it signed the zone...all easier than I expected, so yay! However...when I query for records under the zone... # dig @localhost A www.aliastest.ca<http://www.aliastest.ca>. +dnssec +short 4.4.4.4 A 13 3 3600 20220609000000 20220519000000 30598 aliastest.ca. sIhw7mNWncSfshFAf5hXtblduAFy1bFyhR32mYedzj4br7WWG8angHMj SnOqnU7jJzW1u6INtskuwMuNbR+4WQ== I see NSEC records...great! # dig @localhost A aliastest.ca. +dnssec +short 151.101.125.67 I don't see NSEC records...why? I somewhat assumed that PowerDNS would be signing the recursive output from the ALIAS target...is this some other option I don't know about? > select * from domains where name="aliastest.ca"; +---------+--------------+--------+------------+--------+-----------------+---------+ | id | name | master | last_check | type | notified_serial | account | +---------+--------------+--------+------------+--------+-----------------+---------+ | 4000003 | aliastest.ca | NULL | NULL | NATIVE | NULL | NULL | +---------+--------------+--------+------------+--------+-----------------+---------+ > select * from records where domain_id="4000003"; +----------+-----------+--------------------+-------+-------------------------------------------------------------------------+------+------+-------------+----------+-----------+------+ | id | domain_id | name | type | content | ttl | prio | change_date | disabled | ordername | auth | +----------+-----------+--------------------+-------+-------------------------------------------------------------------------+------+------+-------------+----------+-----------+------+ | 48000014 | 4000003 | aliastest.ca | SOA | ns01.aliastest.ca admin-dns.aliastest.ca 2022030101 1800 900 604800 300 | 3600 | 0 | NULL | 0 | | 1 | | 48000015 | 4000003 | aliastest.ca | NS | ns01.aliastest.ca | 3600 | 0 | NULL | 0 | | 1 | | 48000016 | 4000003 | aliastest.ca | NS | ns02.aliastest.ca | 3600 | 0 | NULL | 0 | | 1 | | 48000017 | 4000003 | aliastest.ca | MX | mail1.aliastest.ca | 3600 | 10 | NULL | 0 | | 1 | | 48000018 | 4000003 | aliastest.ca | MX | mail2.aliastest.ca | 3600 | 20 | NULL | 0 | | 1 | | 48000019 | 4000003 | aliastest.ca | MX | mail3.aliastest.ca | 3600 | 30 | NULL | 0 | | 1 | | 48000020 | 4000003 | ns01.aliastest.ca | A | 10.6.20.71 | 3600 | 0 | NULL | 0 | ns01 | 1 | | 48000021 | 4000003 | ns02.aliastest.ca | A | 10.6.20.72 | 3600 | 0 | NULL | 0 | ns02 | 1 | | 48000022 | 4000003 | mail1.aliastest.ca | A | 1.1.1.1 | 3600 | 0 | NULL | 0 | mail1 | 1 | | 48000023 | 4000003 | mail2.aliastest.ca | A | 2.2.2.2 | 3600 | 0 | NULL | 0 | mail2 | 1 | | 48000024 | 4000003 | mail3.aliastest.ca | A | 3.3.3.3 | 3600 | 0 | NULL | 0 | mail3 | 1 | | 48000025 | 4000003 | www.aliastest.ca<http://www.aliastest.ca> | A | 4.4.4.4 | 3600 | 0 | NULL | 0 | www | 1 | | 48000026 | 4000003 | aliastest.ca | ALIAS | www.cnn.com<http://www.cnn.com> | 3600 | 0 | NULL | 0 | | 1 | +----------+-----------+--------------------+-------+-------------------------------------------------------------------------+------+------+-------------+----------+-----------+------+ Thanks all, -jake _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
_______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
