[Pdns-users] pdns-recursor (4.1.0) validates dnssec as bogus

Lars Dunemark lars.dunemark at glesys.se
Thu Dec 14 12:49:31 UTC 2017


We are trying to activate dnssec validation on our pdns-recursor server 
and get some strange problems with different domains that we can't 
really explain.

In some cases domains that is insecure is validated as bogus and I have 
also seen domains that has dnssec setup that is validated as bogus.

The first problem seems to be solved if we restart pdns service. 
Wipe-cache works sometimes but we don't have any trace for this problem.

The other problem we have a trace where other subdomains are validated 
as secure but one is always triggerd as bogus.

The domain where we find the problem is ansible.skatteverket.se, that is 
one of the MX for skatteverket.se. The other mx servers seems to 
validate as secure. (telegraf.skatteverket.se, marathon.skatteverket.se)

I have publish our trace on: https://pastebin.com/CDeTy6Mv

When looking at http://dnsviz.net/d/ansible.skatteverket.se/dnssec/ says 
that it is a valid chain

We are running this on debian 9, with pdns-recursor 4.1.0-1pdns.stretch 
from https://repo.powerdns.com/debian stretch-rec-41 main
Dnssec setting as set to: log-fail

Is there any problem with the given domain or is this a bug in powerdns?

Best regards
Lars Dunemark

More information about the Pdns-users mailing list