[Pdns-users] dnssec domain validates as bogus

Remi Gacogne remi.gacogne at powerdns.com
Fri Mar 9 15:20:02 UTC 2018

Hi Greg,

On 03/09/2018 03:44 PM, Greg Antic wrote:
> We are running recursor 4.1.1. We are having a problem with a domain
> that is signed with bogus dnssec records, the domain is cape-epic.com.
> We have tried the different dnssec modes but only process-no-validate
> allows the domain to be resolved. We tried adding an nta for the domain
> but the domain still would not resolve.
> Does anyone have any suggestions how we can accommodate and still
> resolve bogus domains but still offer dnssec validation?

Running with dnssec=process should only return a ServFail if the client
actually asks for DNSSEC validation, as described in [1].
Adding a NTA should also work, would you mind sharing your configuration
and a trace (running with --trace or enabling it for this single domain
via rec_control trace-regex 'cape-epic.com')?

[1]: https://doc.powerdns.com/recursor/dnssec.html#what-when

Best regards,

Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20180309/1bffffbb/attachment.sig>

More information about the Pdns-users mailing list