<div dir="ltr"><div class="gmail_default" style="font-family:monospace,monospace">Hi Brian</div><div class="gmail_default" style="font-family:monospace,monospace"><br></div><div class="gmail_default" style="font-family:monospace,monospace"><span style="font-family:monospace"><span style="color:rgb(0,0,0)">sudo rec_control version
</span><br><i>4.3.0</i><br>
<br></span></div><div class="gmail_default" style="font-family:monospace,monospace">sudo dpkg -l | grep pdns-recursor<br><i>ii  pdns-recursor                         4.3.0-1pdns.bionic                              amd64        PowerDNS Recursor</i><span style="font-family:monospace"><br></span></div><div class="gmail_default" style="font-family:monospace,monospace"><span style="font-family:monospace"><br></span></div><div class="gmail_default" style="font-family:monospace,monospace"><span style="font-family:monospace">No queries arrive at all even with negative trust anchor:</span></div><div class="gmail_default" style="font-family:monospace,monospace"><span style="font-family:monospace"><br></span></div><div class="gmail_default" style="font-family:monospace,monospace">sudo rec_control get-ntas<br><i>Configured Negative Trust Anchors:<br>domain.sec</i><br></div><div class="gmail_default" style="font-family:monospace,monospace"><br></div><div class="gmail_default" style="font-family:monospace,monospace">Same result disabling DNSSEC at all.</div><div class="gmail_default" style="font-family:monospace,monospace"><br></div><div class="gmail_default" style="font-family:monospace,monospace">Thanks</div><div class="gmail_default" style="font-family:monospace,monospace"><br></div><div class="gmail_default" style="font-family:monospace,monospace"><br></div><div class="gmail_default" style="font-family:monospace,monospace"><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, 20 Mar 2020 at 12:03, Brian Candler <<a href="mailto:b.candler@pobox.com">b.candler@pobox.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
  
    
  
  <div>
    <div>On 20/03/2020 10:56, Giovanni Vecchi
      via Pdns-users wrote:<br>
    </div>
    <blockquote type="cite">
      <div class="gmail_default" style="font-family:monospace,monospace">@Brian:
        my bad, my local domain isn't an ".local" one but ".sec", so
        please consider domain.sec as root domain<br>
      </div>
      <div class="gmail_default" style="font-family:monospace,monospace">The
        current behaviour is that public root domain are queried for
        every *.domain.sec from recursor instead the authoritative one!</div>
      <div class="gmail_default" style="font-family:monospace,monospace">My
        conf:</div>
      <div class="gmail_default" style="font-family:monospace,monospace"><br>
      </div>
      <div class="gmail_default" style="font-family:monospace,monospace">config-dir=/etc/powerdns<br>
        local-address=0.0.0.0<br>
        local-port=53<br>
        setgid=pdns<br>
        setuid=pdns<br>
        allow-from=0.0.0.0<br>
        logging-facility=1<br>
        loglevel=9<br>
        quiet=no<br>
        version-string=Mind your own business…<br>
        webserver=yes<br>
        webserver-address=0.0.0.0<br>
        webserver-allow-from=127.0.0.1<br>
        webserver-port=8082<br>
        api-key=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<br>
        forward-zones=domain.sec=<a href="http://127.0.0.1:5300" target="_blank">127.0.0.1:5300</a></div>
    </blockquote>
    <p>Do no queries arrive at <a href="http://127.0.0.1:5300" target="_blank">127.0.0.1:5300</a> at all?  What version of
      pdns-recursor are you using?<br>
    </p>
    <p>It's possible that you need to set a negative trust anchor for
      domain.sec.  See:</p>
    <p><a href="https://doc.powerdns.com/recursor/dnssec.html#negative-trust-anchors" target="_blank">https://doc.powerdns.com/recursor/dnssec.html#negative-trust-anchors</a></p>
    <p><br>
    </p>
  </div>

</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><pre style="font-family:"Courier New",Courier,monospace,arial,sans-serif;margin-top:0px;margin-bottom:0px;white-space:pre-wrap;color:rgb(0,0,0);font-size:14px"><table border="0" cellspacing="0" cellpadding="0" style="font-family:"Times New Roman";width:420px"><tbody><tr valign="top"><td><table border="0" cellspacing="0" cellpadding="0"><tbody><tr valign="top"><td style="text-align:initial;vertical-align:top;padding:0px 8px"><a href="http://www.certego.net/" target="_blank"><img width="96" height="96" src="http://www.certego.net/email/certego.png" alt="" style="border-radius: 0px;"></a></td><td style="text-align:initial;vertical-align:top;padding:4px 0px"><div style="padding-top:2px;color:rgb(0,172,237);font-weight:bold;font-stretch:normal;font-size:18px;line-height:normal;font-family:sans-serif;letter-spacing:1px">Giovanni Vecchi</div><div style="padding-top:2px;color:rgb(32,32,32);font-weight:bold;font-stretch:normal;line-height:normal;font-family:sans-serif">Infrastructure Lead Engineer, Certego</div><div style="padding-top:4px"><a href="tel:+39-059-7353333" style="color:rgb(84,84,84);font-stretch:normal;font-size:12px;line-height:normal;font-family:sans-serif" target="_blank">+39-059-7353333</a><span style="color:rgb(0,172,237);font-stretch:normal;font-size:12px;line-height:normal;font-family:sans-serif"></span></div><div style="padding-top:6px"><a href="http://www.linkedin.com/company/certego" target="_blank"><img width="24" height="24" src="http://www.certego.net/email/linkedin.png" style="border-radius: 0px; border: 0px; width: 24px; min-height: 24px;"></a> <a href="http://twitter.com/Certego_IRT" target="_blank"><img width="24" height="24" src="http://www.certego.net/email/twitter.png" style="border-radius: 0px; border: 0px; width: 24px; min-height: 24px;"></a> <a href="http://github.com/certego" target="_blank"><img width="24" height="24" src="http://www.certego.net/email/github.png" style="border-radius: 0px; border: 0px; width: 24px; min-height: 24px;"></a> <a href="http://www.youtube.com/CERTEGOsrl" target="_blank"><img width="24" height="24" src="http://www.certego.net/email/youtube.png" style="border-radius: 0px; border: 0px; width: 24px; min-height: 24px;"></a> <a href="http://plus.google.com/117641917176532015312" target="_blank"><img width="24" height="24" src="http://www.certego.net/email/googleplus.png" style="border-radius: 0px; border: 0px; width: 24px; min-height: 24px;"></a></div></td></tr></tbody></table></td></tr></tbody></table><div style="font-stretch:normal;font-size:8px;line-height:normal;font-family:sans-serif;white-space:normal;width:420px;text-align:justify;vertical-align:top;padding:8px 0px;color:rgb(224,224,224)">Use of the information within this document constitutes acceptance for use in an "as is" condition. There are no warranties with regard to this information; Certego has verified the data as thoroughly as possible. Any use of this information lies within the user's responsibility. In no event shall Certego be liable for any consequences or damages, including direct, indirect, incidental, consequential, loss of business profits or special damages, arising out of or in connection with the use or spread of this information.</div></pre></div></div></div></div>