I have a pair of PowerDNS servers setup in primary/second (master/slave) configuration.
I've enabled DNSsec on one of my zones (bumptv.com) and I see RRSIG records were automatically created on my secondary but I don't see them on my primary and I am not certain if that's by design or if I have a problem.
Should RRSIG records exist on the primary as well? If so any ideas why I don't have them?
Finally, I ran my zone through a DNSSec checker and I saw these errors/warnings:https://dnssec-analyzer.verisignlabs.com/bumptv.com
- No RRSIGs found
- RRSIG=24074 and DNSKEY=24074/SEP does not verify the NSEC RRset (signature verification failed)
- None of the 1 RRSIG and 1 DNSKEY records validate the NSEC RRset
- The NSEC RRset was not signed by any trusted keys
- No NSEC record could prove that no records of type A for bumptv.com exist
I am using Namecheap as my domain registrar (if that matters).
The last error makes sense because I have no A records I am using an ALIAS/CNAME for the apex domain which points back to WWW. So I am assuming that error can be ignored?
The others I am far less certain of if they indicate a problem or not.
Can anyone more familiar with DNSSec help me understand these results?