[Pdns-users] DKIM NXDOMAIN
Peter van Dijk
peter.van.dijk at powerdns.com
Mon Apr 15 11:49:17 UTC 2019
On 15 Apr 2019, at 13:40, Gert van Dijk wrote:
> On Mon, Apr 15, 2019 at 1:17 PM Bart Mortelmans <powerdns at bart.bim.be>
> wrote:
>
>> It seems like this doesn't cause any problems in the real world, only
>> in a
>> test like the one on internet.nl. But as far as I can tell, it's not
>> okay
>> with RFC8020.
It will break DNSSEC for any names under the NXDOMAIN.
> Very interesting read, thanks. I was looking for such a rule in other
> RFCs
> while writing a reply to Steffan, but it appears to be in a separate
> RFC on
> its own. :-)
8020 makes explicit what was implicit already - if there is something
below a name, the name itself should exist as well.
> FWIW, PowerDNS is not stating to be compliant with that RFC. [1] :-(
The auth is compliant with the behaviour required by the RFC. The
recursor does not implement 8020. I’ll update the page.
> I'm running PowerDNS Authoritative 4.2.0-rc1 with the BIND Backend and
> it
> responds as it should, without having any RR on name '_domainkey' for
> the
> zone! The domain passes the test just fine.
> Perhaps this is specific to the backend?
Yes. In the bindbackend, this is automatic. With database backends, a
NULL record needs to be inserted. pdnsutil rectify-zone will do this for
you.
Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/
More information about the Pdns-users
mailing list