<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Avenir Next";
panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Segoe UI Symbol";
panose-1:2 11 5 2 4 2 4 2 2 3;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.apple-tab-span
{mso-style-name:apple-tab-span;}
span.E-mailStijl20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=NL link=blue vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><span style='mso-fareast-language:EN-US'>This domain is not using a A record<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'>But a ALIAS and CNAME<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'>Is that why dnssec failes?<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:12.0pt;font-family:"Times New Roman",serif'>Met vriendelijke groet,<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:12.0pt;font-family:"Times New Roman",serif'>Steffan Noord <o:p></o:p></span></p></div><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b>Van:</b> frank+pdns@tembo.be <frank+pdns@tembo.be> <br><b>Verzonden:</b> dinsdag 9 maart 2021 13:34<br><b>Aan:</b> steffannoord@gmail.com<br><b>CC:</b> pdns-users-ml <pdns-users@mailman.powerdns.com><br><b>Onderwerp:</b> Re: [Pdns-users] DNSSEC UDP problems<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Hi Steffan,<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Sometimes the <a href="http://dnsviz.net">dnsviz.net</a> debugger is quite complete but can be overwhelming at first. The Versisign Analyser can be easier to perform basic checks. <a href="https://dnssec-analyzer.verisignlabs.com/crazyforprint.nl">https://dnssec-analyzer.verisignlabs.com/crazyforprint.nl</a>.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>In this case, it seems the zone is not properly signed, but DS records are present in the parent zone:<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>While an RRSIG record does exist for e.g. the NS record for that zone:<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><div><p class=MsoNormal>~ <span style='font-family:"Segoe UI Symbol",sans-serif'>❯</span> dig NS <a href="http://crazyforprint.nl">crazyforprint.nl</a>. @ns1.tikklik.nl +dnssec <o:p></o:p></p></div><div><p class=MsoNormal>...<o:p></o:p></p></div><div><p class=MsoNormal>;; ANSWER SECTION:<o:p></o:p></p></div><div><p class=MsoNormal><a href="http://crazyforprint.nl">crazyforprint.nl</a>.<span class=apple-tab-span> </span>28800<span class=apple-tab-span> </span>IN<span class=apple-tab-span> </span>NS<span class=apple-tab-span> </span><a href="http://ns2.tikklik.nl">ns2.tikklik.nl</a>.<o:p></o:p></p></div><div><p class=MsoNormal><a href="http://crazyforprint.nl">crazyforprint.nl</a>.<span class=apple-tab-span> </span>28800<span class=apple-tab-span> </span>IN<span class=apple-tab-span> </span>RRSIG<span class=apple-tab-span> </span>NS 13 2 28800 20210318000000 20210225000000 51602 <a href="http://crazyforprint.nl">crazyforprint.nl</a>. PdcCtYO9yLGiUoz+c5WiajyiaLHOpiAvEpJkS4Ew99fJ5xWOX0vJZAA3 4tAMzRJHO+aFBYvf7TvKWyL1Y8ytJQ==<o:p></o:p></p></div><div><p class=MsoNormal><a href="http://crazyforprint.nl">crazyforprint.nl</a>.<span class=apple-tab-span> </span>28800<span class=apple-tab-span> </span>IN<span class=apple-tab-span> </span>NS<span class=apple-tab-span> </span><a href="http://ns1.tikklik.nl">ns1.tikklik.nl</a>.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>No RRSIG records are present for e.g. the A record:<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><div><p class=MsoNormal>~ <span style='font-family:"Segoe UI Symbol",sans-serif'>❯</span> dig A <a href="http://crazyforprint.nl">crazyforprint.nl</a>. @ns1.tikklik.nl +dnssec <o:p></o:p></p></div><div><p class=MsoNormal>...<o:p></o:p></p></div><div><p class=MsoNormal>;; ANSWER SECTION:<o:p></o:p></p></div><div><p class=MsoNormal><a href="http://crazyforprint.nl">crazyforprint.nl</a>.<span class=apple-tab-span> </span>10071<span class=apple-tab-span> </span>IN<span class=apple-tab-span> </span>A<span class=apple-tab-span> </span>199.59.242.153<o:p></o:p></p></div></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>As the parent indicates that the zone is supposed to be signed, this results in verification failures.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Kind Regards,<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Frank<o:p></o:p></p></div><div><div><p class=MsoNormal><br><br><o:p></o:p></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal>On 9 Mar 2021, at 13:13, Steffan via Pdns-users <<a href="mailto:pdns-users@mailman.powerdns.com">pdns-users@mailman.powerdns.com</a>> wrote:<o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>Hello,<br><br>Suddenly im getting DNSSE|C warnings.<br>Any idees what im missing here?<br><br>When analysing the dns with <a href="http://dnsviz.net">dnsviz.net</a> im seeing<br><br>" The server(s) were not responsive to queries over UDP. (2a00:1bd0:740:1:2::2, 2a00:1bd0:740:1:46::162)<br><br><br>I dont understand why,<br>I disabled the firewall for testing<br><br>netstat -tulpn | grep pdns<br>tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 861967/pdns_server<br>tcp6 0 0 :::53 :::* LISTEN 861967/pdns_server<br>udp 0 0 0.0.0.0:11597 0.0.0.0:* 861967/pdns_server<br>udp 0 0 0.0.0.0:53 0.0.0.0:* 861967/pdns_server<br>udp6 0 0 :::12790 :::* 861967/pdns_server<br>udp6 0 0 :::53 :::* 861967/pdns_server<br><br><br><br>Mar 9 13:07:30 ns1 systemd[1]: Starting PowerDNS Authoritative Server...<br>Mar 9 13:07:30 ns1 pdns_server[861967]: Loading '/usr/lib64/pdns/libgmysqlbackend.so'<br>Mar 9 13:07:30 ns1 pdns_server[861967]: This is a standalone pdns<br>Mar 9 13:07:30 ns1 pdns_server[861967]: Listening on controlsocket in '/run/pdns/pdns.controlsocket'<br>Mar 9 13:07:30 ns1 pdns_server[861967]: UDP server bound to 0.0.0.0:53<br>Mar 9 13:07:30 ns1 pdns_server[861967]: UDP server bound to [::]:53<br>Mar 9 13:07:30 ns1 pdns_server[861967]: TCP server bound to 0.0.0.0:53<br>Mar 9 13:07:30 ns1 pdns_server[861967]: TCP server bound to [::]:53<br>Mar 9 13:07:30 ns1 pdns_server[861967]: PowerDNS Authoritative Server 4.5.0-alpha0.810.master.ge95f1270a (C) 2001-2021 <a href="http://PowerDNS.COM">PowerDNS.COM</a> BV<br>Mar 9 13:07:30 ns1 pdns_server[861967]: Using 64-bits mode. Built using gcc 8.3.1 20191121 (Red Hat 8.3.1-5) on Mar 4 2021 17:46:55 by root@8780793e1b61.<br>Mar 9 13:07:30 ns1 pdns_server[861967]: PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2.<br>Mar 9 13:07:30 ns1 pdns_server[861967]: DNS Proxy launched, local port 33452, remote 208.67.220.220:53<br>Mar 9 13:07:30 ns1 pdns_server[861967]: Not validating response for security status update, this is a non-release version<br>Mar 9 13:07:30 ns1 pdns_server[861967]: Master/slave communicator launching<br>Mar 9 13:07:30 ns1 pdns_server[861967]: Creating backend connection for TCP<br>Mar 9 13:07:30 ns1 pdns_server[861967]: About to create 3 backend threads for UDP<br>Mar 9 13:07:30 ns1 systemd[1]: Started PowerDNS Authoritative Server.<br>Mar 9 13:07:30 ns1 pdns_server[861967]: Done launching threads, ready to distribute questions<br>Mar 9 13:07:30 ns1 pdns_server[861967]: Cleared signature cache.<br><br>Met vriendelijke groet,<br>Steffan Noord <br><br>_______________________________________________<br>Pdns-users mailing list<br><a href="mailto:Pdns-users@mailman.powerdns.com">Pdns-users@mailman.powerdns.com</a><br><a href="https://mailman.powerdns.com/mailman/listinfo/pdns-users">https://mailman.powerdns.com/mailman/listinfo/pdns-users</a><o:p></o:p></p></div></div></blockquote></div><p class=MsoNormal><o:p> </o:p></p></div><div><div><div><div><div><p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-size:10.0pt;font-family:"Avenir Next",serif;color:black'>Frank Louwers<br>PowerDNS Certified Consultant @ <a href="http://Kiwazo.be">Kiwazo.be</a><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Avenir Next",serif;color:black'><o:p> </o:p></span></p></div><p class=MsoNormal><span style='color:black'><o:p> </o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p></div></div></div></body></html>