[Pdns-users] dnssec domain validates as bogus

Pieter Lexis pieter.lexis at powerdns.com
Fri Mar 9 15:21:46 UTC 2018


Hi Greg,

On Fri, 9 Mar 2018 14:44:31 +0000
Greg Antic <greg.antic at stc.za.com> wrote:

> We are running recursor 4.1.1. We are having a problem with a domain that is signed with bogus dnssec records, the domain is cape-epic.com. We have tried the different dnssec modes but only process-no-validate allows the domain to be resolved. We tried adding an nta for the domain but the domain still would not resolve.
> 
> Does anyone have any suggestions how we can accommodate and still resolve bogus domains but still offer dnssec validation?
> 
> Answer to cape-epic.com|A for 41.77.x.y:36426 validates as Bogus

* Can you tell us how you added the NTA?
* Are you fronting the recursor with dnsdist?
* The fact that it validates as Bogus does *not* mean that the client
  gets a SERVFAIL, this depends on the dnssec setting and the flags the
  client sends. (but with an NTA it should always be insecure, so please
  answer the first question).


Best regards,

Pieter

-- 
Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com


More information about the Pdns-users mailing list