[Pdns-users] DKIM NXDOMAIN
Gert van Dijk
gertvdijk+pdns-users at gmail.com
Mon Apr 15 11:40:40 UTC 2019
On Mon, Apr 15, 2019 at 1:17 PM Bart Mortelmans <powerdns at bart.bim.be>
> It seems like this doesn't cause any problems in the real world, only in a
> test like the one on internet.nl. But as far as I can tell, it's not okay
> with RFC8020.
Very interesting read, thanks. I was looking for such a rule in other RFCs
while writing a reply to Steffan, but it appears to be in a separate RFC on
its own. :-)
The important take from that RFC seems to be:
> Since the domain names are organized in
> a tree, it is a simple consequence of the tree structure:
> nonexistence of a node implies nonexistence of the entire subtree
> rooted at this node.
FWIW, PowerDNS is not stating to be compliant with that RFC.  :-(
However, it is mentioned on the Hello DNS explanatory pages. 
> And I tested some other nameservers (Google cloud DNS, Dyn.com and Yadifa
> happened to be easy to test for me) and I can confirm that they all do
> return "NOERROR" instead of "NXDOMAIN" if a sub-host exists.
> The situation still seems to be the same in the upcoming PowerDNS 4.2 with
> MySQL backend (I didn't test other backends)
I'm running PowerDNS Authoritative 4.2.0-rc1 with the BIND Backend and it
responds as it should, without having any RR on name '_domainkey' for the
zone! The domain passes the test just fine.
Perhaps this is specific to the backend?
> The only solution to this "problem" (or to get through the test...) I have
> found was to create any other record type on _domainkey (obviously not
> CNAME or NS, but any other record type should be okay).
@Steffan: What version of PowerDNS & backend are you using?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Pdns-users