[Pdns-users] Unable to resolve domain when using DO and not AD

Wed Dec 12 18:53:04 UTC 2018

Il giorno 12 dic 2018, alle ore 18:45, bert hubert <bert.hubert at powerdns.com> ha scritto:
>> Right now I am refraining to disclose the domain because I don’t know if
>> this behavior could disclose a software/version/configuration with some
>> kind of known vulnerability.
> Sadly, that is where we stop reading about your problem.
> Please see https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/ <https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/>

The domain I’m talking about is not under my responsibility and it’s a third party so when talking about “reproduce your problem using details you CAN share”, this specific details fall in the “can’t share” category while all the tests and results using dig are the parts that I can share.
I don’t know and don’t want to find out if there is any legal aspect about disclosing a potential vulnerability in someone else’s systems, especially since we are in the same country and the other party is a much bigger company than ours - they can keep being unresolvable by all powerdns (and possibly others) recursors in the world as far as I’m concerned. On the other hand, I did contact the domain owners through their whois tech-c contacts and I’m trying to get their collaboration if I can; I’ve also linked them to this thread in the mailing list archives so they’re free to join in the conversation if they care.

I do understand that this will heavily affect any help that people could provide on this list and that’s perfectly fine for me - after all it’s not my domain and it’s not my problem, I’m just trying to help my users if I can and I am thankful for any help that this list could provide (and of course it goes without saying that we’re thankful for the great powerdns software!). I don’t want anyone to think that I *pretend* any kind of answer or support.

Let me try to rephrase (part of) the issue:
- can I configure pdns-recursor to retry a query multiple times to the same dns server with the same transaction id?
- or can I configure pdns-recursor to selectively turn off DNSSEC for a single domain / regex?

I did my dose of rtfm and as far as I can tell the answer to both questions is “no” up to and including the latest stable release (v4.1.8 as of this writing), at least without developing custom LUA scripts or patching pdns-recursor.
The only workaround that I could think off to avoid the behavior showed in my dig examples is to forward-zones-recurse that specific domain to another dns recursor that has DNSSEC disabled.
If anyone from the list could confirm the above or provide any other idea or suggestion, it would be much appreciated.

thanks,
--
Luca Lesinigo
LM Networks Srl

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20181212/e76744c4/attachment.html>