[Pdns-users] dnssec domain validates as bogus
Greg Antic
greg.antic at stc.za.com
Mon Mar 12 09:25:00 UTC 2018
Hi Pieter,
To add to the info submitted to Remi:
> Can you tell us how you added the NTA?
rec_control add-nta cape-epic.com
> Are you fronting the recursor with dnsdist?
No
-----Original Message-----
From: Pdns-users [mailto:pdns-users-bounces at mailman.powerdns.com] On Behalf Of Pieter Lexis
Sent: Friday, 09 March 2018 5:22 PM
To: pdns-users at mailman.powerdns.com
Subject: Re: [Pdns-users] dnssec domain validates as bogus
Hi Greg,
On Fri, 9 Mar 2018 14:44:31 +0000
Greg Antic <greg.antic at stc.za.com> wrote:
> We are running recursor 4.1.1. We are having a problem with a domain that is signed with bogus dnssec records, the domain is cape-epic.com. We have tried the different dnssec modes but only process-no-validate allows the domain to be resolved. We tried adding an nta for the domain but the domain still would not resolve.
>
> Does anyone have any suggestions how we can accommodate and still resolve bogus domains but still offer dnssec validation?
>
> Answer to cape-epic.com|A for 41.77.x.y:36426 validates as Bogus
* Can you tell us how you added the NTA?
* Are you fronting the recursor with dnsdist?
* The fact that it validates as Bogus does *not* mean that the client
gets a SERVFAIL, this depends on the dnssec setting and the flags the
client sends. (but with an NTA it should always be insecure, so please
answer the first question).
Best regards,
Pieter
--
Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com _______________________________________________
Pdns-users mailing list
Pdns-users at mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
More information about the Pdns-users
mailing list