[Pdns-users] pdns-recursor (4.1.0) validates dnssec as bogus
Lars Dunemark
lars.dunemark at glesys.se
Thu Dec 14 12:49:31 UTC 2017
Hi,
We are trying to activate dnssec validation on our pdns-recursor server
and get some strange problems with different domains that we can't
really explain.
In some cases domains that is insecure is validated as bogus and I have
also seen domains that has dnssec setup that is validated as bogus.
The first problem seems to be solved if we restart pdns service.
Wipe-cache works sometimes but we don't have any trace for this problem.
The other problem we have a trace where other subdomains are validated
as secure but one is always triggerd as bogus.
The domain where we find the problem is ansible.skatteverket.se, that is
one of the MX for skatteverket.se. The other mx servers seems to
validate as secure. (telegraf.skatteverket.se, marathon.skatteverket.se)
I have publish our trace on: https://pastebin.com/CDeTy6Mv
When looking at http://dnsviz.net/d/ansible.skatteverket.se/dnssec/ says
that it is a valid chain
We are running this on debian 9, with pdns-recursor 4.1.0-1pdns.stretch
from https://repo.powerdns.com/debian stretch-rec-41 main
Dnssec setting as set to: log-fail
Is there any problem with the given domain or is this a bug in powerdns?
Best regards
Lars Dunemark
More information about the Pdns-users
mailing list