[Pdns-users] dnssec domain validates as bogus

Pieter Lexis pieter.lexis at powerdns.com
Fri Mar 9 15:21:46 UTC 2018

Hi Greg,

On Fri, 9 Mar 2018 14:44:31 +0000
Greg Antic <greg.antic at stc.za.com> wrote:

> We are running recursor 4.1.1. We are having a problem with a domain that is signed with bogus dnssec records, the domain is cape-epic.com. We have tried the different dnssec modes but only process-no-validate allows the domain to be resolved. We tried adding an nta for the domain but the domain still would not resolve.
> Does anyone have any suggestions how we can accommodate and still resolve bogus domains but still offer dnssec validation?
> Answer to cape-epic.com|A for 41.77.x.y:36426 validates as Bogus

* Can you tell us how you added the NTA?
* Are you fronting the recursor with dnsdist?
* The fact that it validates as Bogus does *not* mean that the client
  gets a SERVFAIL, this depends on the dnssec setting and the flags the
  client sends. (but with an NTA it should always be insecure, so please
  answer the first question).

Best regards,


Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com

More information about the Pdns-users mailing list