New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs enhancements; clarify error message when set-presigned fails with DNSSEC disabled #4478

Merged
merged 6 commits into from Jan 13, 2017

Conversation

Projects
None yet
4 participants
@peterthomassen
Contributor

peterthomassen commented Sep 15, 2016

from IRC:

(12:04:06 PM) Habbie: wonder if that error from pdnsutil could be more helpful
(12:04:46 PM) Habbie: ah, indeed that error means -exactly- that gmysql-dnssec is not set
(12:04:57 PM) Habbie: every other error condition will give you an actual error from the backend i believe

@peterthomassen peterthomassen changed the title from clarify error message when set-presigned fails with DNSSEC disabled to docs enhancements; clarify error message when set-presigned fails with DNSSEC disabled Sep 16, 2016

@peterthomassen

This comment has been minimized.

Show comment
Hide comment
@peterthomassen

peterthomassen Sep 16, 2016

Contributor

regarding 8ad575f, from IRC:

(01:09:05 PM) pt01: During AXFR, pdns does rectify. Is this when acting as a (signing) slave (after receiving the zone), or when acting as a master (before signing)?
(01:09:38 PM) pt01: I am asking because docs:backend-generic-sql/#handling-dnssec-signed-zones says that the AXFR client code does that, while the disable-axfr-rectify documentation says it's for outgoing AXFR.
(01:10:19 PM) Habbie: the incoming code always does it
(01:10:40 PM) Habbie: and the outgoing code does it unless you set that disable, which you shouldn't :)
(01:15:28 PM) pt01: aha! so, on a master, I never need to rectify myself unless there are non-AXFR queries?
(01:15:50 PM) Habbie: correct

Contributor

peterthomassen commented Sep 16, 2016

regarding 8ad575f, from IRC:

(01:09:05 PM) pt01: During AXFR, pdns does rectify. Is this when acting as a (signing) slave (after receiving the zone), or when acting as a master (before signing)?
(01:09:38 PM) pt01: I am asking because docs:backend-generic-sql/#handling-dnssec-signed-zones says that the AXFR client code does that, while the disable-axfr-rectify documentation says it's for outgoing AXFR.
(01:10:19 PM) Habbie: the incoming code always does it
(01:10:40 PM) Habbie: and the outgoing code does it unless you set that disable, which you shouldn't :)
(01:15:28 PM) pt01: aha! so, on a master, I never need to rectify myself unless there are non-AXFR queries?
(01:15:50 PM) Habbie: correct

@mind04

Please revert the changes which are suggesting axfr out rectify is updating the database

@peterthomassen

This comment has been minimized.

Show comment
Hide comment
@peterthomassen

peterthomassen Sep 16, 2016

Contributor

The information that I tried to add to the docs is that even an outgoing AXFR does some sort of rectify, as the outgoing AXFR contains signed NSEC3 records for empty non-terminals. This information is nowhere else to be found. The documentation therefore currently implies that the rectify is fully done by the receiving slave (including signing NSEC3 records for ENT), which requires access to keying material on the slave. However, this is not the case.

It was certainly misguided to modify backend-generic-sql.md, so I changed things so that this information is now in dnssec.md only.

Contributor

peterthomassen commented Sep 16, 2016

The information that I tried to add to the docs is that even an outgoing AXFR does some sort of rectify, as the outgoing AXFR contains signed NSEC3 records for empty non-terminals. This information is nowhere else to be found. The documentation therefore currently implies that the rectify is fully done by the receiving slave (including signing NSEC3 records for ENT), which requires access to keying material on the slave. However, this is not the case.

It was certainly misguided to modify backend-generic-sql.md, so I changed things so that this information is now in dnssec.md only.

@pieterlexis pieterlexis merged commit 5c3d953 into PowerDNS:master Jan 13, 2017

1 check was pending

continuous-integration/travis-ci/pr The Travis CI build is in progress
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment