Re: [Pdns-users] DNSSEC and

Frank, I so appreciate your help. It sounds like my intended configuration should be fine, then. I might suggest to the powers that be that the documentation address this question. The reason I have two servers is for redundancy, so I'll probably give both instances write access, but as yo

Re: [Pdns-users] DNSSEC and

Hi Xan, The weekly changes are not key rollovers, they are RRSIG updates/resignings. These are done on the fly (in online mode), and not stored in the database. The backend only contains the ZSK/KSK/CSK, which will only change if you issue a command to roll them. Even if you would issue the ch

Re: [Pdns-users] DNSSEC and

Thank you, Frank. I am aiming to do online signing, but my concern is the weekly key rollover. Wouldn't both PowerDNS instances attempt to perform key rollover on the same database at the same time? Do they not step on each other's toes? -Xan On 8/22/23 07:03, Frank Louwers via Pdns-use

Re: [Pdns-users] DNSSEC and

Hi Xan, It depends which DNSSEC you choose. If you would pick "Online Signing" for instance (great unless you have very busy servers with lots of domains), the "keying data" is stored in the database as well, so both servers would use the same data to sign the zone, resulting in consistent sign

[Pdns-users] DNSSEC and

Hello everyone, We've been successfully using PowerDNS for some time, and are looking into enabling DNSSEC. If two PowerDNS authoritative servers are set up for native replication, sharing a single MariaDB backend where the database is replicated using MariaDB's replication, how would DNSSEC

Re: [Pdns-users] DNSSEC and CNAME records results NXDOMAIN

regards Klaus -Ursprüngliche Nachricht- Von: Marijn Gesendet: Freitag, 22. April 2022 19:18 An: Klaus Darilion ; pdns- us...@mailman.powerdns.com Betreff: Re: [Pdns-users] DNSSEC and CNAME records results NXDOMAIN I fill the records with the API. However when I check the SOA file (see belo

Re: [Pdns-users] DNSSEC and CNAME records results NXDOMAIN

ove the root zone from your POwerDNS. regards Klaus > -Ursprüngliche Nachricht- > Von: Marijn > Gesendet: Freitag, 22. April 2022 19:18 > An: Klaus Darilion ; pdns- > us...@mailman.powerdns.com > Betreff: Re: [Pdns-users] DNSSEC and CNAME records results NXDOMAIN > >

Re: [Pdns-users] DNSSEC and CNAME records results NXDOMAIN

-users Im Auftrag von Marijn via Pdns-users Gesendet: Freitag, 22. April 2022 18:54 An: pdns-users@mailman.powerdns.com Betreff: Re: [Pdns-users] DNSSEC and CNAME records results NXDOMAIN I have pdnsutil 4.5.4 running with MySQL backend and native MySQL replication. In pdns.conf I have the foll

Re: [Pdns-users] DNSSEC and CNAME records results NXDOMAIN

An: pdns-users@mailman.powerdns.com > Betreff: Re: [Pdns-users] DNSSEC and CNAME records results NXDOMAIN > > I have pdnsutil 4.5.4 running with MySQL backend and native MySQL > replication. > > In pdns.conf I have the following value. Maybe the @ doesn't work? > > default-soa-con

Re: [Pdns-users] DNSSEC and CNAME records results NXDOMAIN

d/ zone setup are you using? regards Klaus -Ursprüngliche Nachricht- Von: Pdns-users Im Auftrag von Marijn via Pdns-users Gesendet: Freitag, 22. April 2022 16:39 An: pdns-users@mailman.powerdns.com Betreff: [Pdns-users] DNSSEC and CNAME records results NXDOMAIN I have PowerDNS 4.5.1 running

Re: [Pdns-users] DNSSEC and CNAME records results NXDOMAIN

. which pdns version/backend/ zone setup are you using? regards Klaus > -Ursprüngliche Nachricht- > Von: Pdns-users Im > Auftrag von Marijn via Pdns-users > Gesendet: Freitag, 22. April 2022 16:39 > An: pdns-users@mailman.powerdns.com > Betreff: [Pdns-users] DNSSEC and CN

[Pdns-users] DNSSEC and CNAME records results NXDOMAIN

I have PowerDNS 4.5.1 running. DNSSEC is working on the domain: https://dnssec-analyzer.verisignlabs.com/egogo.eu --- But when I have DNSSEC active and I create a CNAME record, which doesn't have DNSSEC, I get a NXDOMAIN error. ``` $ dig CNAME autodiscover.egogo.eu +short autodiscover.outloo

Re: [Pdns-users] dnssec and lua-config--file

On 13/05/2020 09:05, Pierrick CHOVELON wrote: Thx, both of you. It works like a charm. Great.  Also look at the "auth-zones" option - depending on your use case it may be another option. https://docs.powerdns.com/recursor/settings.html#auth-zones I'll have a look on the forward-zones-file.

Re: [Pdns-users] dnssec and lua-config--file

Thx, both of you. It works like a charm. I'll have a look on the forward-zones-file. Are modifications taken on the fly or it is necessary to restart the recursor ? Regards ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powe

Re: [Pdns-users] dnssec and lua-config--file

On 13/05/2020 08:18, Pierrick CHOVELON via Pdns-users wrote: Now, let's imagine I want to resolve foo.example.net and also bar.example.net . Do I have to create two zone files one for foo.example.net and one for bar.e

Re: [Pdns-users] dnssec and lua-config--file

Hi, Thank you very much, it works. (I've some typos in the named.conf files too). For the hint file, it was in the default configuration. Now, let's imagine I want to resolve foo.example.net and also bar.example.net. Do I have to create two zone files one for foo.example.net and one for bar.exa

Re: [Pdns-users] dnssec and lua-config--file

On 12-May-2020 19:11 CEST, wrote: > Hi, > > Yes I do : > > cat recursor.conf | grep -v '^\s*$\|^\s*\#' > config-dir=/etc/powerdns > dnssec-log-bogus=yes > hint-file=/usr/share/dns/root.hints > local-address=0.0.0.0 > local-port=3334 > *lua-config-file=/etc/powerdns/recursor.lua* > quiet=yes > s

Re: [Pdns-users] dnssec and lua-config--file

Hi, Yes I do : cat recursor.conf | grep -v '^\s*$\|^\s*\#' config-dir=/etc/powerdns dnssec-log-bogus=yes hint-file=/usr/share/dns/root.hints local-address=0.0.0.0 local-port=3334 *lua-config-file=/etc/powerdns/recursor.lua* quiet=yes security-poll-suffix= setgid=pdns setuid=pdns trace=fail forwar

Re: [Pdns-users] dnssec and lua-config--file

Hi Pierre, On 12-May-2020 16:59 CEST, wrote: > Hello, > > I'm testing pdns-recursor and I'd like to config it in order to : > >- resolves normally exemple.net >- forwards the request foo.example.net to an internal authoritative >server > > I've read the documentation, and found :

[Pdns-users] dnssec and lua-config--file

Hello, I'm testing pdns-recursor and I'd like to config it in order to : - resolves normally exemple.net - forwards the request foo.example.net to an internal authoritative server I've read the documentation, and found : https://docs.powerdns.com/recursor/settings.html#forward-zones I'v

Re: [Pdns-users] DNSSEC and SOA records

Hi Tamer, On 21-Jul-2019 22:10 CEST, wrote: > Hello, > > I have setup PowerDNS 4.2.0-rc2 through the CentOS 7 repository. Everything > works fine except SOA replies in AUTHORITY SECTIONs with DNSSEC enabled. We > are testing the domain through the well-known validator Internet.nl and it > resul

[Pdns-users] DNSSEC and SOA records

Hello, I have setup PowerDNS 4.2.0-rc2 through the CentOS 7 repository. Everything works fine except SOA replies in AUTHORITY SECTIONs with DNSSEC enabled. We are testing the domain through the well-known validator Internet.nl and it results in a BOGUS validation. They state that it's because test

Re: [Pdns-users] DNSSEC and subdomains with wildcards

Hello Chris, On 29 May 2014, at 14:22 , Chris wrote: > Now I see that 'test.wildcard.testdomain.asia' no longer resolves. Looking in > the database there is a new entry for 'test.wildcard.testdomain.asia' with > null 'type' and 'content', so I assume that pdns sees that record with no > conte

[Pdns-users] DNSSEC and subdomains with wildcards

Hi list, I have run into a problem with implementing DNSSEC for zones that have wildcards. I am using PowerDNS 3.3-1 on Debian Wheezy with the 'gmysql-dnssec' backend. I am testing with the domain 'testdomain.asia'. Starting from scratch with just the SOA and NS records in the zone, I then

[Pdns-users] DNSSEC and SOA expire field

Hi, When using PowerDNS for DNSSEC, is there any way to configure the validity period of the RRSIG records to be greater than the default 2 weeks? If not, what is the recommended value for the SOA expire field for DNSSEC enabled zones (I understand it is best to set it to something less than the R

Re: [Pdns-users] DNSSEC and Master/Slave setup

On Thu, 3 Feb 2011 10:28:23 +0100, bert hubert wrote: [...] > Ideas? > > I prefer a solution where we don't actually increment the serial in the > database but overlay it with something that autoincrements ('weeks since > january first 2011'). I actually like that idea - guess that would work for

Re: [Pdns-users] DNSSEC and Master/Slave setup

On Thu, Feb 03, 2011 at 08:44:08AM +0100, Christof Meerwald wrote: > I kind of expected this to happen today - the master (ns.cmeerw.net) > with the keying material has now updated the RRSIG records, but the > slave (ns2.cmeerw.net, no keying material) still returns the old RRSIG > records: Indeed

[Pdns-users] DNSSEC and Master/Slave setup

Hi, I kind of expected this to happen today - the master (ns.cmeerw.net) with the keying material has now updated the RRSIG records, but the slave (ns2.cmeerw.net, no keying material) still returns the old RRSIG records: ; <<>> DiG 9.7.1-P2 <<>> +dnssec -t soa cmeerw.priv.at @ns.cmeerw.net ;; ANS