[Pdns-users] PowerDNS recursor v4.0.9 gives dnssec validation bogus for this one domain, other sources says its fine

Remi Gacogne remi.gacogne at powerdns.com
Mon Nov 26 08:59:28 UTC 2018


Hi Pekka,

On 11/26/18 9:53 AM, Pekka Panula wrote:
> I have problem with this one domain where our PoweDNS recursors says its
> bogus and gives SERVFAIL.
> 
> When i am testing it and validating it using eg.
> https://dnssec-debugger.verisignlabs.com/ or http://dnsviz.net/ they say
> it’s ok, also Google and CloudFlare gives answers ok.
> 
> I did enabled powerdns domain trace for this domain, results are here:
> https://gist.github.com/ppanula/00f2fe4de7d12dbb7899dc02ea505a18
> 
> I’m not sure why PowerDNS recursors validation says bogus, pls help.
> 
> Also I have tested our PowerDNS recursors for other known DNSSEC domains
> and it gives OK answers.

Would you consider upgrading to the 4.1.x branch, currently 4.1.7?
DNSSEC validation in 4.0.x was marked as experimental and it's unlikely
that we will fix it.

I just tested and grimaldi.napoli.it is correctly resolved as insecure
on recent versions.

Best regards,
-- 
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20181126/02dceb89/attachment.sig>


More information about the Pdns-users mailing list