[Pdns-users] pdns-recursor 4.0.0~alpha3-1 - no DNSSEC answer?

Pieter Lexis pieter.lexis at powerdns.com
Fri May 20 08:14:52 UTC 2016

Hi Leen,

On Fri, 20 May 2016 10:08:51 +0200
leen at consolejunkie.net wrote:

> I've been wondering about this, I haven't tried the new recursor yet. 
> So to make it more clear:
> If you enable DNSSEC-processing of the recursor and nothing is cached 
> and you request something without DO-bit set does it do 
> DNSSEC-processing or not ?

In process-mode, the recursor always sends out queries with the DO-bit set (so this data is in the cache) and strips DNSSEC records in the reply to the client when the client does not set the DO-bit.

And if the client does not set the AD-bit it will not validate, so it might return bogus data in process mode. In validation mode, it will return SERVFAIL for bogus data, even when the client does not ask for validation.

Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com

More information about the Pdns-users mailing list