[Pdns-users] Problem with DNSSEC from bind to powerdns

abubin abubin at gmail.com
Thu Apr 18 08:23:43 UTC 2019


I have just installed pdns and pdns-recursor on a server in secondary site.
The primary site is using CentOS 7 bind to host private DNS.

I am trying to create a forwarding DNS from bind to pdns in primary site.
For example, when I query the primary DNS (, it will forward
certain domains to secondary DNS.

The zone file for bind have this:

zone "myown.com" IN {
        type forward;
        forward only;
        forwarders {; };

However, due to DNSSEC it is not resolving the zone. It will work if I
disable DNSSEC in bind. I have already enable DNSSEC for myown.com in pdns
but it still giving error from bind.

Apr 18 16:15:50 kdns named[25128]: validating www.myown.com/A: no valid
signature found
Apr 18 16:15:50 kdns named[25128]: validating www.myown.com/A: bad cache
hit (www.myown.com/DS)
Apr 18 16:15:50 kdns named[25128]: broken trust chain resolving '

I am stumped on how to resolve this. Been searching online for whole day
already but unable to find solution.

If I disable the DNS in BIND;

dnssec-enable no;
dnssec-validation no;

It will work.

nslookup www.myown.com localhost
Server:         localhost

Non-authoritative answer:
Name:   www.myown.com

Would highly appreciate any help or suggestions.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20190418/90cf3e3e/attachment.html>

More information about the Pdns-users mailing list