When running a presigned zone with DNSSEC enabled, PowerDNS does not return an RRSIG record for 'wildcard' DNS records of the form *.domain.com. Instead it just returns the matching wildcard record and the correct NSEC3 records denying the existence of an exact match. For live signing or non-wildcard records the behaviour is as expected (an RRSIG for the wildcard + NSEC3s).
I believe this can be fixed by changing line 87 in function addSignature in dnssecsigner.cc from:
dk.getPreRRSIGs(db, signer, signQName, QType(signQType), signPlace, outsigned); // does it all
dk.getPreRRSIGs(db, signer, wildcardname.empty() ? signQName : wildcardname, QType(signQType), signPlace, outsigned); // does it all
which is similar to the line below that code pertaining to the live-signing case.
Attachment 'Patch as submitted to pdns-dev' (pdns-ticket-460.diff) https://gist.github.com/5466742
That patch is not sufficient, as it does not correctly sets the name of the RRSIG record (it keeps it as *.domain.com which does not match the name of the returned record). Maybe getPreRRSIGs needs to be changed to accept an additional parameter?
In addition to the patch above, it would be necessary to change the parameters of getPreRRSIGs to include addSignature's signQName, then use that to set rr.qname on the RRSIG records in the loop.
Text from pdns-dev related to the attached patch:
In short: when running a zone in presigned mode and querying a name for which only a matching *.domain.com record exists, PowerDNS does not add an RRSIG record to the result. The attached patch lets PowerDNS add the RRSIG record for the wildcard record with the same name as the original queried name, which is identical to the records PowerDNS returns when doing live signing.
Applied in r2676, thanks!