[Pdns-users] dnssec domain validates as bogus

Greg Antic greg.antic at stc.za.com
Mon Mar 12 09:25:00 UTC 2018

Hi Pieter,

To add to the info submitted to Remi:

> Can you tell us how you added the NTA?
rec_control add-nta cape-epic.com

> Are you fronting the recursor with dnsdist?

-----Original Message-----
From: Pdns-users [mailto:pdns-users-bounces at mailman.powerdns.com] On Behalf Of Pieter Lexis
Sent: Friday, 09 March 2018 5:22 PM
To: pdns-users at mailman.powerdns.com
Subject: Re: [Pdns-users] dnssec domain validates as bogus

Hi Greg,

On Fri, 9 Mar 2018 14:44:31 +0000
Greg Antic <greg.antic at stc.za.com> wrote:

> We are running recursor 4.1.1. We are having a problem with a domain that is signed with bogus dnssec records, the domain is cape-epic.com. We have tried the different dnssec modes but only process-no-validate allows the domain to be resolved. We tried adding an nta for the domain but the domain still would not resolve.
> Does anyone have any suggestions how we can accommodate and still resolve bogus domains but still offer dnssec validation?
> Answer to cape-epic.com|A for 41.77.x.y:36426 validates as Bogus

* Can you tell us how you added the NTA?
* Are you fronting the recursor with dnsdist?
* The fact that it validates as Bogus does *not* mean that the client
  gets a SERVFAIL, this depends on the dnssec setting and the flags the
  client sends. (but with an NTA it should always be insecure, so please
  answer the first question).

Best regards,


Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com _______________________________________________
Pdns-users mailing list
Pdns-users at mailman.powerdns.com

More information about the Pdns-users mailing list