[Pdns-users] dnssec domain validates as bogus

Remi Gacogne remi.gacogne at powerdns.com
Wed Mar 14 12:59:33 UTC 2018 

On 03/14/2018 01:35 PM, Greg Antic wrote:
> I posted all the outputs without removing anything, do you refer the rec_control trace, if so that is all that was outputted?

Yes, a full trace would start with something like this:

Mar 14 13:52:42 0 [2/1] question for 'cape-epic.com|A' from 127.0.0.1:36254
Mar 14 13:52:42 [2] cape-epic.com: Wants DNSSEC processing, auth data in
query for A
Mar 14 13:52:42 [2] cape-epic.com: Looking for CNAME cache hit of
'cape-epic.com|CNAME'
Mar 14 13:52:42 [2] cape-epic.com: No CNAME cache hit of
'cape-epic.com|CNAME' found
Mar 14 13:52:42 [2] cape-epic.com: No cache hit for 'cape-epic.com|A',
trying to find an appropriate NS record

which we don't have in the trace you posted, so we don't see the initial
query.

Then if the client requested DNSSEC validation (dig cape-epic.com
@127.0.0.1 with the version I'm using), it ends up with:

Mar 14 13:54:03 [2] cape-epic.com: status=got results, this level of
recursion done
Mar 14 13:54:03 [2] cape-epic.com: validation status is Secure
Mar 14 13:54:03 Starting validation of answer to cape-epic.com|A for
127.0.0.1:47766
Mar 14 13:54:03 Answer to cape-epic.com|A for 127.0.0.1:47766 validates
correctly
Mar 14 13:54:03 0 [2/1] answer to question 'cape-epic.com|A': 1 answers,
1 additional, took 5 packets, 1576.42 netw ms, 1583.5 tot ms, 0
throttled, 1 timeouts, 0 tcp connections, rcode=0, dnssec=Secure

And if the client didn't (dig cape-epic.com @127.0.0.1 +nodnssec +noadflag):

Mar 14 13:53:31 [2] cape-epic.com: status=got results, this level of
recursion done
Mar 14 13:53:31 [2] cape-epic.com: validation status is Indeterminate
Mar 14 13:53:31 0 [2/1] answer to question 'cape-epic.com|A': 1 answers,
1 additional, took 2 packets, 33.106 netw ms, 35.287 tot ms, 0
throttled, 0 timeouts, 0 tcp connections, rcode=0

That's the expected behavior with dnssec=process. If you want to disable
validation no matter what the client is asking for, use dnssec=off.

-- 
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20180314/ab3533d6/attachment.sig>

More information about the Pdns-users mailing list