1

I have DNS set up with powerdns. It serves my DNS pretty well, and it AXFRs to other slaves. The slaves haven't yet updated to the most recent records, but that doesn't affect the validation, it would appear. Any record I can think of (AAAA, MX, TXT, even the CNAME for www) validates -- except for A records:

dig @149.20.64.20 +dnssec www.demize95.com CNAME returns ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 7 while dig @149.20.64.20 +dnssec demize95.com A returns ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 7. The same happens with any other A record I have.

I set up DNSSEC with pdnssec, and it does work for all the other records, but it's never validated for my A records. What's the problem here?

Also, a side-note: I have to use ISC's DLV to create the chain of trust, since my domain registrar doesn't yet support sending the DS records to the com zone.

Update: It looks like it works now, so now I'd just like to know what the problem was. Was it just that the changes hadn't propagated everywhere yet?

  • Also, on all my queries I get the do flag in the opt pseudosection, which suggests that the signing is fine but there's a chain of trust issue. –  Aug 31 '12 at 21:07
  • 1
    The do flag just means the resolver supported DNSSEC. From RFC3225: " The DO bit of the query MUST be copied in the response." – Habbie Sep 01 '12 at 12:50
  • As for your actual question, it's hard to figure out afterwards what the issue was. Propagation should only be an issue if some of your slaves were running unsigned zones while the DLV already had your DS. – Habbie Sep 01 '12 at 12:52
  • 1
    Which confirms my idea that propagation wasn't the problem, since all the other records did validate. Anyway, it works, so I guess I just needed to give it time. –  Sep 01 '12 at 17:48

0 Answers0