[Pdns-users] DNSSEC failure on non-DNSSEC subdomain

Peter van Dijk peter.van.dijk at netherlabs.nl
Fri Feb 24 19:33:34 UTC 2012

Hello Ask,

On Feb 24, 2012, at 20:12 , Ask Bjørn Hansen wrote:

> develooper.org is using DNSSEC (NSEC, native in PowerDNS - show-zone output below).   l.develooper.org is pointed to a different set of nameservers with no DS record (they don't have DNSSEC configured).
> This morning I got a report that DNSSEC validating resolvers stopped being able to get to the l.develooper.org names (cpan-global.l.develooper.org specifically).  Not sure if it being Thursday yesterday is related or if it was broken all along.

This was reported to pdns-dev earlier today; I responded there including a (not very well-tested!) patch: http://mailman.powerdns.com/pipermail/pdns-dev/2012-February/001095.html

Another user reported this to us very recently; we're working with him to get a robust fix out soon. Our apologies for the troubles.

Kind regards,
Peter van Dijk

More information about the Pdns-users mailing list