[Pdns-users] DNSSEC and SOA records

[Nico CARTRON]

Hi Tamer,

On 21-Jul-2019 22:10 CEST, <tamerkc at gmail.com> wrote:

> Hello,
> 
> I have setup PowerDNS 4.2.0-rc2 through the CentOS 7 repository. Everything
> works fine except SOA replies in AUTHORITY SECTIONs with DNSSEC enabled. We
> are testing the domain through the well-known validator Internet.nl and it
> results in a BOGUS validation. They state that it's because test.nizari.nl
> is not returning SOA records in the AUTHORITY SECTION.

so the zone you're testing with is test.nizari.nl, right?
It seems there's no delegation for this zone, hence no SOA.

> The following works and returns a proper SOA answer:
> dig soa nizari.nl
> dig soa test.nizari.nl @ns1.nizari.nl
> dig soa test.nizari.nl @1.1.1.1
> dig soa test.nizari.nl @8.8.8.8 +cd
> 
> The following does not work and results in a SERVFAIL:
> dig soa test.nizari.nl
> dig soa test.nizari.nl @8.8.8.8
> 
> Is this normal behaviour or is there something wrong with my config? The
> nameservers run simply in a MySQL cluster.
> 
> pdns.conf:
> local-address=0.0.0.0
> local-ipv6=::
> local-port=5300
> launch=gmysql,geoip
> gmysql-host=
> gmysql-user=
> gmysql-dbname=
> gmysql-password=
> geoip-database-files
> loglevel=9
> enable-lua-records=yes
> edns-subnet-processing=yes
> log-dns-queries=yes
> gmysql-dnssec=yes
> disable-syslog=yes
> resolver=8.8.8.8,[2001:4860:4860::8888]

Also, why are you using the 'resolver' setting without 'expand-alias'?
This setting is not meant to specify the resolver to send recursive requests to,
but is related to the ALIAS records
(https://doc.powerdns.com/authoritative/guides/alias.html).

Cheers,

-- 
Nico

> If there is something wrong with my config, why does 1.1.1.1 work and
> 8.8.8.8 not?
> I see no errors in the logs and all other DNS related stuff is working.
> 
> DNSVIZ results are OK.
>
> Any help or tips can be of use, I have been debugging this for three days
> now. Thank you for reading!