[Pdns-users] dnssec domain validates as bogus
Pieter Lexis
pieter.lexis at powerdns.com
Fri Mar 9 15:21:46 UTC 2018
Hi Greg,
On Fri, 9 Mar 2018 14:44:31 +0000
Greg Antic <greg.antic at stc.za.com> wrote:
> We are running recursor 4.1.1. We are having a problem with a domain that is signed with bogus dnssec records, the domain is cape-epic.com. We have tried the different dnssec modes but only process-no-validate allows the domain to be resolved. We tried adding an nta for the domain but the domain still would not resolve.
>
> Does anyone have any suggestions how we can accommodate and still resolve bogus domains but still offer dnssec validation?
>
> Answer to cape-epic.com|A for 41.77.x.y:36426 validates as Bogus
* Can you tell us how you added the NTA?
* Are you fronting the recursor with dnsdist?
* The fact that it validates as Bogus does *not* mean that the client
gets a SERVFAIL, this depends on the dnssec setting and the flags the
client sends. (but with an NTA it should always be insecure, so please
answer the first question).
Best regards,
Pieter
--
Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com
More information about the Pdns-users
mailing list