[Pdns-users] DKIM NXDOMAIN

Peter van Dijk peter.van.dijk at powerdns.com
Mon Apr 15 11:49:17 UTC 2019


On 15 Apr 2019, at 13:40, Gert van Dijk wrote:

> On Mon, Apr 15, 2019 at 1:17 PM Bart Mortelmans <powerdns at bart.bim.be>
> wrote:
>
>> It seems like this doesn't cause any problems in the real world, only 
>> in a
>> test like the one on internet.nl. But as far as I can tell, it's not 
>> okay
>> with RFC8020.

It will break DNSSEC for any names under the NXDOMAIN.

> Very interesting read, thanks. I was looking for such a rule in other 
> RFCs
> while writing a reply to Steffan, but it appears to be in a separate 
> RFC on
> its own. :-)

8020 makes explicit what was implicit already - if there is something 
below a name, the name itself should exist as well.

> FWIW, PowerDNS is not stating to be compliant with that RFC. [1] :-(

The auth is compliant with the behaviour required by the RFC. The 
recursor does not implement 8020. I’ll update the page.

> I'm running PowerDNS Authoritative 4.2.0-rc1 with the BIND Backend and 
> it
> responds as it should, without having any RR on name '_domainkey' for 
> the
> zone! The domain passes the test just fine.
> Perhaps this is specific to the backend?

Yes. In the bindbackend, this is automatic. With database backends, a 
NULL record needs to be inserted. pdnsutil rectify-zone will do this for 
you.

Kind regards,
-- 
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/


More information about the Pdns-users mailing list