<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">On 20/03/2020 10:56, Giovanni Vecchi
via Pdns-users wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CADkrqGCU35JCOhS25waQnQ_cJiSHimKnK0LoVRta4j_FSsTCBA@mail.gmail.com">
<div class="gmail_default" style="font-family:monospace,monospace">@Brian:
my bad, my local domain isn't an ".local" one but ".sec", so
please consider domain.sec as root domain<br>
</div>
<div class="gmail_default" style="font-family:monospace,monospace">The
current behaviour is that public root domain are queried for
every *.domain.sec from recursor instead the authoritative one!</div>
<div class="gmail_default" style="font-family:monospace,monospace">My
conf:</div>
<div class="gmail_default" style="font-family:monospace,monospace"><br>
</div>
<div class="gmail_default" style="font-family:monospace,monospace">config-dir=/etc/powerdns<br>
local-address=0.0.0.0<br>
local-port=53<br>
setgid=pdns<br>
setuid=pdns<br>
allow-from=0.0.0.0<br>
logging-facility=1<br>
loglevel=9<br>
quiet=no<br>
version-string=Mind your own business…<br>
webserver=yes<br>
webserver-address=0.0.0.0<br>
webserver-allow-from=127.0.0.1<br>
webserver-port=8082<br>
api-key=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<br>
forward-zones=domain.sec=<a href="http://127.0.0.1:5300"
moz-do-not-send="true">127.0.0.1:5300</a></div>
</blockquote>
<p>Do no queries arrive at 127.0.0.1:5300 at all? What version of
pdns-recursor are you using?<br>
</p>
<p>It's possible that you need to set a negative trust anchor for
domain.sec. See:</p>
<p><a
href="https://doc.powerdns.com/recursor/dnssec.html#negative-trust-anchors">https://doc.powerdns.com/recursor/dnssec.html#negative-trust-anchors</a></p>
<p><br>
</p>
</body>
</html>