On Mon, Mar 04, 2024 at 05:01:12PM +0100, Jan Huijsmans via Pdns-users wrote:
> Hello, > > I'm tryting to setup a DNSSEC lab environment with an isolated DNS set. > > Service setup: > > Servers > - hidden master root server (pdns-auth 4.6.3-1) > - queriable slave root servers (pdns-auth 4.6.3-1 & 4.8.4-1) > - master + slave domain server (pdns-auth 4.8.4-1) > - recursors on 4.9.2-1 > > pdns.conf of the auth instances include a .conf with > gmysql=dnssec=yes > > recursor.conf of the recursors include a lua-config file with clearTA() and > either either the addTA function with '.' and the DS content or > reedTrustAnchorsFromFile that points to a file with the output of > > pdnsutil export-zone-ds . > > All zones are, from lowest to highest zone, signed via the pdns secure-zone > command and the DS records are exported via pdnsutil export-zone-ds and that > output is added to the higher zone up to . . > > When I use dig to request records directly from the authoritive instances, I > get answerd with RRSIG responces I expect. However, when I try via the > recursor, the . zone is not trusted. > > The error the pdns recursor logs shows on a restart is: > > msg="Failed to update . records" error="Got Bogus validation result for .|NS" > subsystem="housekeeping" level="0" prio="Error" tid="0" ts="1709563954.159" > exception="PDNSException" > > When I request the DNSKEY from the . zone and add that to the root.key file > (checkes on a debian system what's in /usr/share/dns/root.key to find the > syntax) I read TA from via lua-config, then the result is the same. > > Documentation used: > - https://doc.powerdns.com/recursor/dnssec.html > - https://doc.powerdns.com/recursor/lua-config/dnssec.html#addTA > - https://doc.powerdns.com/authoritative/dnssec/index.html > - https://doc.powerdns.com/authoritative/manpages/pdnsutil.1.html > and what I could find with DDG. > > dnssec is set to process in the recursor, but it refuses to answer when I use > dig, nelookup works. (so applications have no impact by this issue) > > It looks to me I'm missing something simple in establishing the initial trust > of the . zone within the recursor, the rest looks like it works as it should. > > Any help is appreciated. Show your recursor.conf and your root hints. -Otto > > Regards, > > Jan Huijsmans > _______________________________________________ > Pdns-users mailing list > Pdns-users@mailman.powerdns.com > https://mailman.powerdns.com/mailman/listinfo/pdns-users _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
