On Sat, Aug 01, 2015 at 09:51:59PM +0200, Bjoern Franke wrote:
> we are running Powerdns 3.4.5-1 on 2 Debian Jessie systems. The master
> uses MySQL, the slave sqlite.
> After axfering one zone, the slave gets some garbage records:
These are empty non terminal records, needed to generate correct answers. So
you probably do have a something._domainkey.ffnw.de record and a ffnwe.de
record. This empty record is there to generate the proper DNS response for
> Now I'm confused how to fix this besides creating the whole zone new.
If you run 'pdnssec rectify-zone ffnw.de' they will appear on the master
> I disabled dnssec now, but lists.ffnw.de still produces problems on
> slave |1|lists.ffnw.de||||||0||1 exists.
This is not about DNSSEC - the empty non-terminals are a requirement of
DNS itself. PowerDNS did not honour this requirement in the past.
> lists.ffnw.de has address 184.108.40.206
> lists.ffnw.de has IPv6 address 2a03:4000:6:8025::1
> lists.ffnw.de mail is handled by 10 srv01.ffnw.de.
> lists.ffnw.de mail is handled by 20 srv02.ffnw.de.
> So if a user asks srv02.ffnw.de, he/she cannot connect to
> lists.ffnw.de. The issue does not occur for ffnw.de which also has a
> _domainkey.ffnw.de record.
If I understand this right, your problem is that ‘lists.ffnw.de’
stops matching your wildcard because of the empty non-terminal? If that
is the issue, just put ‘lists.ffnw.de’ with A/AAAA/MX like the
wildcard, into your zone.