[Pdns-users] Problem with DNSSEC from bind to powerdns

abubin abubin at gmail.com
Thu Apr 18 09:18:21 UTC 2019

I have looked into Bind's negative trust anchor implementation. Seems like
in Bind, this option cannot be specified to more than 1 week. After 1 week
the negative trust will be removed.

*nta [( -d | -f | -r | -l duration)] domain [view]*

Sets a DNSSEC negative trust anchor (NTA) for domain, with a lifetime of
duration. The default lifetime is configured in named.conf via the
nta-lifetime option, and defaults to one hour. The lifetime cannot exceed
one week.

A negative trust anchor selectively disables DNSSEC validation for zones
that are known to be failing because of misconfiguration rather than an
attack. When data to be validated is at or below an active NTA (and above
any other configured trust anchors), *named* will abort the DNSSEC
validation process and treat the data as insecure rather than bogus. This
continues until the NTA's lifetime is elapsed.

NTAs persist across restarts of the *named* server. The NTAs for a view are
saved in a file called *name*.nta, where *name* is the name of the view, or
if it contains characters that are incompatible with use as a file name, a
cryptographic hash generated from the name of the view.

An existing NTA can be removed by using the -remove option.

An NTA's lifetime can be specified with the -lifetime option. TTL-style
suffixes can be used to specify the lifetime in seconds, minutes, or hours.
If the specified NTA already exists, its lifetime will be updated to the
new value. Setting lifetime to zero is equivalent to -remove.

If -dump is used, any other arguments are ignored, and a list of existing
NTAs is printed (note that this may include NTAs that are expired but have
not yet been cleaned up).

Normally, *named* will periodically test to see whether data below an NTA
can now be validated (see the nta-recheck option in the Administrator
Reference Manual for details). If data can be validated, then the NTA is
regarded as no longer necessary, and will be allowed to expire early. The
-force overrides this behavior and forces an NTA to persist for its entire
lifetime, regardless of whether data could be validated if the NTA were not

All of these options can be shortened, i.e., to -l, -r, -d, and -f.
Is there a "correct" way of implementing this "trust" between the servers?
DNSSEC keys sharing or something?


On Thu, Apr 18, 2019 at 4:35 PM Brian Candler <b.candler at pobox.com> wrote:

> On 18/04/2019 09:23, abubin wrote:
> > However, due to DNSSEC it is not resolving the zone. It will work if I
> > disable DNSSEC in bind.
> You need to create a Negative Trust Anchor in your recursor for the
> domain you are forwarding.
> If you were using powerdns recursor, the instructions are here:
> https://doc.powerdns.com/recursor/settings.html#forward-zones
> Since you're using a bind recursor, just google for "bind negative trust
> anchor".
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20190418/ebb90247/attachment.html>

More information about the Pdns-users mailing list