[Pdns-users] DKIM NXDOMAIN

Gert van Dijk gertvdijk+pdns-users at gmail.com
Mon Apr 15 11:40:40 UTC 2019

On Mon, Apr 15, 2019 at 1:17 PM Bart Mortelmans <powerdns at bart.bim.be>

> It seems like this doesn't cause any problems in the real world, only in a
> test like the one on internet.nl. But as far as I can tell, it's not okay
> with RFC8020.

Very interesting read, thanks. I was looking for such a rule in other RFCs
while writing a reply to Steffan, but it appears to be in a separate RFC on
its own. :-)
The important take from that RFC seems to be:

> Since the domain names are organized in
> a tree, it is a simple consequence of the tree structure:
> nonexistence of a node implies nonexistence of the entire subtree
> rooted at this node.

FWIW, PowerDNS is not stating to be compliant with that RFC. [1] :-(
However, it is mentioned on the Hello DNS explanatory pages. [2]

[1]: https://www.powerdns.com/compliance.html

> And I tested some other nameservers (Google cloud DNS, Dyn.com and Yadifa
> happened to be easy to test for me) and I can confirm that they all do
> return "NOERROR" instead of "NXDOMAIN" if a sub-host exists.
> The situation still seems to be the same in the upcoming PowerDNS 4.2 with
> MySQL backend (I didn't test other backends)

I'm running PowerDNS Authoritative 4.2.0-rc1 with the BIND Backend and it
responds as it should, without having any RR on name '_domainkey' for the
zone! The domain passes the test just fine.
Perhaps this is specific to the backend?

> The only solution to this "problem" (or to get through the test...) I have
> found was to create any other record type on _domainkey (obviously not
> CNAME or NS, but any other record type should be okay).

Hmm, meh.

@Steffan: What version of PowerDNS & backend are you using?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20190415/29b8fac7/attachment.html>

More information about the Pdns-users mailing list