<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Hi Steffan,<div class=""><br class=""></div><div class="">Well, it clearly responds to a request for an A record...<div class=""><br class=""></div><div class="">Can you tell us a bit more about this zone? What does "pdnsutil check-zone <a href="http://crazyforprint.nl" class="">crazyforprint.nl</a>" say?</div><div class=""><br class=""></div><div class="">In general, it's a very bad idea to use CNAME records at the apex of a domain.</div><div class=""><br class=""></div><div class="">Frank<br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On 9 Mar 2021, at 13:35, Steffan via Pdns-users <<a href="mailto:pdns-users@mailman.powerdns.com" class="">pdns-users@mailman.powerdns.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta charset="UTF-8" class=""><div class="WordSection1" style="page: WordSection1; caret-color: rgb(0, 0, 0); font-family: AvenirNext-Regular; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span class="">This domain is not using a A record<o:p class=""></o:p></span></div><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span class="">But a ALIAS and CNAME<o:p class=""></o:p></span></div><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span class="">Is that why dnssec failes?<o:p class=""></o:p></span></div><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span class=""><o:p class=""> </o:p></span></div><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span class=""><o:p class=""> </o:p></span></div><div class=""><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-size: 12pt; font-family: "Times New Roman", serif;" class="">Met vriendelijke groet,<o:p class=""></o:p></span></div><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-size: 12pt; font-family: "Times New Roman", serif;" class="">Steffan Noord<span class="Apple-converted-space"> </span><o:p class=""></o:p></span></div></div><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span class=""><o:p class=""> </o:p></span></div><div class=""><div style="border-style: solid none none; border-top-width: 1pt; border-top-color: rgb(225, 225, 225); padding: 3pt 0cm 0cm;" class=""><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><b class="">Van:</b><span class="Apple-converted-space"> </span><a href="mailto:frank+pdns@tembo.be" class="">frank+pdns@tembo.be</a> <<a href="mailto:frank+pdns@tembo.be" class="">frank+pdns@tembo.be</a>><span class="Apple-converted-space"> </span><br class=""><b class="">Verzonden:</b><span class="Apple-converted-space"> </span>dinsdag 9 maart 2021 13:34<br class=""><b class="">Aan:</b><span class="Apple-converted-space"> </span><a href="mailto:steffannoord@gmail.com" class="">steffannoord@gmail.com</a><br class=""><b class="">CC:</b><span class="Apple-converted-space"> </span>pdns-users-ml <<a href="mailto:pdns-users@mailman.powerdns.com" class="">pdns-users@mailman.powerdns.com</a>><br class=""><b class="">Onderwerp:</b><span class="Apple-converted-space"> </span>Re: [Pdns-users] DNSSEC UDP problems<o:p class=""></o:p></div></div></div><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Hi Steffan,<o:p class=""></o:p></div><div class=""><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Sometimes the<span class="Apple-converted-space"> </span><a href="http://dnsviz.net/" style="color: blue; text-decoration: underline;" class="">dnsviz.net</a><span class="Apple-converted-space"> </span>debugger is quite complete but can be overwhelming at first. The Versisign Analyser can be easier to perform basic checks.<span class="Apple-converted-space"> </span><a href="https://dnssec-analyzer.verisignlabs.com/crazyforprint.nl" style="color: blue; text-decoration: underline;" class="">https://dnssec-analyzer.verisignlabs.com/crazyforprint.nl</a>.<o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class="">In this case, it seems the zone is not properly signed, but DS records are present in the parent zone:<o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class="">While an RRSIG record does exist for e.g. the NS record for that zone:<o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div class=""><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class="">~<span class="Apple-converted-space"> </span><span style="font-family: "Segoe UI Symbol", sans-serif;" class="">❯</span><span class="Apple-converted-space"> </span>dig NS<span class="Apple-converted-space"> </span><a href="http://crazyforprint.nl/" style="color: blue; text-decoration: underline;" class="">crazyforprint.nl</a>. @ns1.tikklik.nl +dnssec <o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class="">...<o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class="">;; ANSWER SECTION:<o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><a href="http://crazyforprint.nl/" style="color: blue; text-decoration: underline;" class="">crazyforprint.nl</a>.<span class="apple-tab-span"> <span class="Apple-converted-space"> </span></span>28800<span class="apple-tab-span"> <span class="Apple-converted-space"> </span></span>IN<span class="apple-tab-span"> <span class="Apple-converted-space"> </span></span>NS<span class="apple-tab-span"> <span class="Apple-converted-space"> </span></span><a href="http://ns2.tikklik.nl/" style="color: blue; text-decoration: underline;" class="">ns2.tikklik.nl</a>.<o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><a href="http://crazyforprint.nl/" style="color: blue; text-decoration: underline;" class="">crazyforprint.nl</a>.<span class="apple-tab-span"> <span class="Apple-converted-space"> </span></span>28800<span class="apple-tab-span"> <span class="Apple-converted-space"> </span></span>IN<span class="apple-tab-span"> <span class="Apple-converted-space"> </span></span>RRSIG<span class="apple-tab-span"> <span class="Apple-converted-space"> </span></span>NS 13 2 28800 20210318000000 20210225000000 51602<span class="Apple-converted-space"> </span><a href="http://crazyforprint.nl/" style="color: blue; text-decoration: underline;" class="">crazyforprint.nl</a>. PdcCtYO9yLGiUoz+c5WiajyiaLHOpiAvEpJkS4Ew99fJ5xWOX0vJZAA3 4tAMzRJHO+aFBYvf7TvKWyL1Y8ytJQ==<o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><a href="http://crazyforprint.nl/" style="color: blue; text-decoration: underline;" class="">crazyforprint.nl</a>.<span class="apple-tab-span"> <span class="Apple-converted-space"> </span></span>28800<span class="apple-tab-span"> <span class="Apple-converted-space"> </span></span>IN<span class="apple-tab-span"> <span class="Apple-converted-space"> </span></span>NS<span class="apple-tab-span"> <span class="Apple-converted-space"> </span></span><a href="http://ns1.tikklik.nl/" style="color: blue; text-decoration: underline;" class="">ns1.tikklik.nl</a>.<o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div></div><div class=""><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class="">No RRSIG records are present for e.g. the A record:<o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div class=""><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class="">~<span class="Apple-converted-space"> </span><span style="font-family: "Segoe UI Symbol", sans-serif;" class="">❯</span><span class="Apple-converted-space"> </span>dig A<span class="Apple-converted-space"> </span><a href="http://crazyforprint.nl/" style="color: blue; text-decoration: underline;" class="">crazyforprint.nl</a>. @ns1.tikklik.nl +dnssec <o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class="">...<o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class="">;; ANSWER SECTION:<o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><a href="http://crazyforprint.nl/" style="color: blue; text-decoration: underline;" class="">crazyforprint.nl</a>.<span class="apple-tab-span"> <span class="Apple-converted-space"> </span></span>10071<span class="apple-tab-span"> <span class="Apple-converted-space"> </span></span>IN<span class="apple-tab-span"> <span class="Apple-converted-space"> </span></span>A<span class="apple-tab-span"> <span class="Apple-converted-space"> </span></span>199.59.242.153<o:p class=""></o:p></div></div></div><div class=""><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class="">As the parent indicates that the zone is supposed to be signed, this results in verification failures.<o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Kind Regards,<o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Frank<o:p class=""></o:p></div></div><div class=""><div class=""><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><br class=""><br class=""><o:p class=""></o:p></div><blockquote style="margin-top: 5pt; margin-bottom: 5pt;" class="" type="cite"><div class=""><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class="">On 9 Mar 2021, at 13:13, Steffan via Pdns-users <<a href="mailto:pdns-users@mailman.powerdns.com" style="color: blue; text-decoration: underline;" class="">pdns-users@mailman.powerdns.com</a>> wrote:<o:p class=""></o:p></div></div><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div><div class=""><div class=""><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Hello,<br class=""><br class="">Suddenly im getting DNSSE|C warnings.<br class="">Any idees what im missing here?<br class=""><br class="">When analysing the dns with<span class="Apple-converted-space"> </span><a href="http://dnsviz.net/" style="color: blue; text-decoration: underline;" class="">dnsviz.net</a><span class="Apple-converted-space"> </span>im seeing<br class=""><br class="">" The server(s) were not responsive to queries over UDP. (2a00:1bd0:740:1:2::2, 2a00:1bd0:740:1:46::162)<br class=""><br class=""><br class="">I dont understand why,<br class="">I disabled the firewall for testing<br class=""><br class="">netstat -tulpn | grep pdns<br class="">tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 861967/pdns_server<br class="">tcp6 0 0 :::53 :::* LISTEN 861967/pdns_server<br class="">udp 0 0 0.0.0.0:11597 0.0.0.0:* 861967/pdns_server<br class="">udp 0 0 0.0.0.0:53 0.0.0.0:* 861967/pdns_server<br class="">udp6 0 0 :::12790 :::* 861967/pdns_server<br class="">udp6 0 0 :::53 :::* 861967/pdns_server<br class=""><br class=""><br class=""><br class="">Mar 9 13:07:30 ns1 systemd[1]: Starting PowerDNS Authoritative Server...<br class="">Mar 9 13:07:30 ns1 pdns_server[861967]: Loading '/usr/lib64/pdns/libgmysqlbackend.so'<br class="">Mar 9 13:07:30 ns1 pdns_server[861967]: This is a standalone pdns<br class="">Mar 9 13:07:30 ns1 pdns_server[861967]: Listening on controlsocket in '/run/pdns/pdns.controlsocket'<br class="">Mar 9 13:07:30 ns1 pdns_server[861967]: UDP server bound to 0.0.0.0:53<br class="">Mar 9 13:07:30 ns1 pdns_server[861967]: UDP server bound to [::]:53<br class="">Mar 9 13:07:30 ns1 pdns_server[861967]: TCP server bound to 0.0.0.0:53<br class="">Mar 9 13:07:30 ns1 pdns_server[861967]: TCP server bound to [::]:53<br class="">Mar 9 13:07:30 ns1 pdns_server[861967]: PowerDNS Authoritative Server 4.5.0-alpha0.810.master.ge95f1270a (C) 2001-2021<span class="Apple-converted-space"> </span><a href="http://powerdns.com/" style="color: blue; text-decoration: underline;" class="">PowerDNS.COM</a><span class="Apple-converted-space"> </span>BV<br class="">Mar 9 13:07:30 ns1 pdns_server[861967]: Using 64-bits mode. Built using gcc 8.3.1 20191121 (Red Hat 8.3.1-5) on Mar 4 2021 17:46:55 by root@8780793e1b61.<br class="">Mar 9 13:07:30 ns1 pdns_server[861967]: PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2.<br class="">Mar 9 13:07:30 ns1 pdns_server[861967]: DNS Proxy launched, local port 33452, remote 208.67.220.220:53<br class="">Mar 9 13:07:30 ns1 pdns_server[861967]: Not validating response for security status update, this is a non-release version<br class="">Mar 9 13:07:30 ns1 pdns_server[861967]: Master/slave communicator launching<br class="">Mar 9 13:07:30 ns1 pdns_server[861967]: Creating backend connection for TCP<br class="">Mar 9 13:07:30 ns1 pdns_server[861967]: About to create 3 backend threads for UDP<br class="">Mar 9 13:07:30 ns1 systemd[1]: Started PowerDNS Authoritative Server.<br class="">Mar 9 13:07:30 ns1 pdns_server[861967]: Done launching threads, ready to distribute questions<br class="">Mar 9 13:07:30 ns1 pdns_server[861967]: Cleared signature cache.<br class=""><br class="">Met vriendelijke groet,<br class="">Steffan Noord<span class="Apple-converted-space"> </span><br class=""><br class="">_______________________________________________<br class="">Pdns-users mailing list<br class=""><a href="mailto:Pdns-users@mailman.powerdns.com" style="color: blue; text-decoration: underline;" class="">Pdns-users@mailman.powerdns.com</a><br class=""><a href="https://mailman.powerdns.com/mailman/listinfo/pdns-users" style="color: blue; text-decoration: underline;" class="">https://mailman.powerdns.com/mailman/listinfo/pdns-users</a><o:p class=""></o:p></div></div></div></blockquote></div><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div class=""><div class=""><div class=""><div class=""><p class="MsoNormal" style="margin: 0cm 0cm 12pt; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="font-size: 10pt; font-family: "Avenir Next", serif;" class="">Frank Louwers<br class="">PowerDNS Certified Consultant @<span class="Apple-converted-space"> </span><a href="http://kiwazo.be/" style="color: blue; text-decoration: underline;" class="">Kiwazo.be</a><o:p class=""></o:p></span></p></div><div class=""><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-size: 10pt; font-family: "Avenir Next", serif;" class=""><o:p class=""> </o:p></span></div></div><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="" class=""><o:p class=""> </o:p></span></div></div></div><div style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div></div></div><span style="caret-color: rgb(0, 0, 0); font-family: AvenirNext-Regular; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">_______________________________________________</span><br style="caret-color: rgb(0, 0, 0); font-family: AvenirNext-Regular; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><span style="caret-color: rgb(0, 0, 0); font-family: AvenirNext-Regular; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">Pdns-users mailing list</span><br style="caret-color: rgb(0, 0, 0); font-family: AvenirNext-Regular; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><a href="mailto:Pdns-users@mailman.powerdns.com" style="color: blue; text-decoration: underline; font-family: AvenirNext-Regular; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;" class="">Pdns-users@mailman.powerdns.com</a><br style="caret-color: rgb(0, 0, 0); font-family: AvenirNext-Regular; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><a href="https://mailman.powerdns.com/mailman/listinfo/pdns-users" style="color: blue; text-decoration: underline; font-family: AvenirNext-Regular; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;" class="">https://mailman.powerdns.com/mailman/listinfo/pdns-users</a></div></blockquote></div><br class=""></div></div><div class=""><div class=""><div dir="auto" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: "Avenir Next"; font-size: 13px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;">Frank Louwers<br class="">PowerDNS Certified Consultant @ <a href="http://Kiwazo.be" class="">Kiwazo.be</a><br class=""><br class=""></div><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: "Avenir Next"; font-size: 13px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><br class=""></div><br class="Apple-interchange-newline"></div></div><br class="Apple-interchange-newline"></div></div></body></html>