Clarification NSEC3 rrsig

1 files changed, 8 insertions, 5 deletions

diff --git a/_drafts/migrating-dns-servers.md b/_drafts/migrating-dns-servers.md
index ce587c4..246128f 100644
--- a/_drafts/migrating-dns-servers.md
+++ b/_drafts/migrating-dns-servers.md
@@ -112,9 +112,12 @@ other TLDs and other registrars.
 1. Filter and import the zone. PowerDNS will actually complain about the NSEC3
    records otherwise once you open the zone in your editor.
 
-        grep -vw NSEC3 ./dl-zone.txt > imp-zone.txt 
+        grep -vw "IN NSEC3" ./dl-zone.txt > imp-zone.txt
         pdnsutil load-zone $zone ./imp-zone.txt
 
+   This should keep the RRSIGs for the NSEC3 records.  This doesn't help with
+   the errors I receive later, though…
+
 1. Set up the secondaries. I went with [Hurricane
    Electric](https://dns.he.net/), but I had to write them an e-mail. I couldn't
    add the zone as secondary myself, because the web interface requires the
@@ -159,10 +162,10 @@ other TLDs and other registrars.
     PowerDNS can't sign the reply, because it doesn't have the keys to sign the
     NSEC3 replies (??? I guess ???). So now, instead of sending back an unsigned
     reply, it sends back an error.
-
-    Further: PoweDNS *refuses to import NSEC3 records*. It wants to generate them
-    itself. If I understood things correctly, that would be no problem if it
-    simply imported the zone file with the prepared NSEC3 records?
+    I imported the RRSIGs for these NSEC3 records, though, at least in a second
+    attempt. I tried all combinations of (set-nsec3|unset-nsec3) and (import
+    NSEC3-RRSIG|don't import NSEC3-RRSIG). All variants failed. I have no clue
+    how this is supposed to work cleanly.
 
 1. Wait at least 24 hours (TTLs, DNS propagation time). \
    *I am currently at this step. Further steps are guesswork*.