[Pdns-users] pdns_recursor suddenly decided ALL dnssec queries were bogus

Nick Williams nicholas at nicholaswilliams.net
Fri Oct 12 02:20:43 UTC 2018

I’ve been running a pdns_recursor install for a little over 11 months now, and I had about 9 months’ uptime on the machine running it. Tonight, suddenly, without my making any changes, ALL DNS queries through the recursor started returning SERVFAIL. I spent the better part of an hour diagnosing it. Finally, on a hunch, I enabled 
"dnssec-log-bogus=yes," and voila. Every. Single. Request. Every domain. From Google to Facebook to Microsoft. EVERYTHING was “Bogus.” (Important reminder here: I didn’t make ANY changes.)

The only way I was able to get DNS working again was to change the dnssec setting to "dnssec=process-no-validate.” But I sure don’t feel really good about that.

Anyone have any clue what happened? Did the world break or something?


Here’s some diag info for whatever it’s worth:

Oct 11 21:19:51 PowerDNS Recursor 4.0.4 (C) 2001-2016 PowerDNS.COM BV
Oct 11 21:19:51 Using 32-bits mode. Built using gcc 4.9.2.
Oct 11 21:19:51 PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2.
Oct 11 21:19:51 Features: openssl lua 
Oct 11 21:19:51 Configured with: " '--build=arm-linux-gnueabihf' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-silent-rules' '--libdir=${prefix}/lib/arm-linux-gnueabihf' '--libexecdir=${prefix}/lib/arm-linux-gnueabihf' '--disable-maintainer-mode' '--disable-dependency-tracking' '--sysconfdir=/etc/powerdns' '--enable-reproducible' '--with-lua' '--with-protobuf=yes' '--enable-systemd' '--with-systemd=/lib/systemd/system' 'build_alias=arm-linux-gnueabihf' 'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security' 'LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now -latomic' 'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -DPACKAGEVERSION='\''"4.0.4-1~bpo8+1.Debian"'\'''"

More information about the Pdns-users mailing list