<div dir="ltr"><div>Thanks - i didnt know this parameter - so basically this...</div><div><br></div><div><pre style="box-sizing:border-box;overflow:auto;font-family:Consolas,monospace;font-size:15px;padding:14px 0px 14px 20px;margin:20px 0px;line-height:18.75px;word-break:break-all;color:rgb(51,51,51);border-width:0px 0px 0px 2px;border-style:solid;border-color:rgb(238,238,238);border-radius:4px">rec_control add-nta domain.example botched keyroll
Added Negative Trust Anchor for domain.example. with reason 'botched keyroll'</pre></div><div><br></div><div>....would set dnssec validations for domain.example. to "off"....?</div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">Am Mi., 11. Juni 2025 um 16:21 Uhr schrieb Jan-Piet Mens via Pdns-users <<a href="mailto:pdns-users@mailman.powerdns.com">pdns-users@mailman.powerdns.com</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">I think the safest in this situation would be to add a Negative Trust Anchor<br>
(NTA) [1] in order to temporarily disable DNSSEC validation in your Recursor<br>
for that particular authoritative zone. While the NTA [2] is active you could<br>
try contacting the operator of the (obviously) broken authoritative server and<br>
get them to fix the zone.<br>
<br>
-JP<br>
<br>
[1] <a href="https://doc.powerdns.com/recursor/lua-config/dnssec.html#addNTA" rel="noreferrer" target="_blank">https://doc.powerdns.com/recursor/lua-config/dnssec.html#addNTA</a><br>
[2] <a href="https://doc.powerdns.com/recursor/dnssec.html#ntas" rel="noreferrer" target="_blank">https://doc.powerdns.com/recursor/dnssec.html#ntas</a><br>
_______________________________________________<br>
Pdns-users mailing list<br>
<a href="mailto:Pdns-users@mailman.powerdns.com" target="_blank">Pdns-users@mailman.powerdns.com</a><br>
<a href="https://mailman.powerdns.com/mailman/listinfo/pdns-users" rel="noreferrer" target="_blank">https://mailman.powerdns.com/mailman/listinfo/pdns-users</a><br>
</blockquote></div></div>