[Pdns-users] PDNS recursor dnssec settings

葉科貝 a23165beck at gmail.com
Tue Mar 5 06:25:56 UTC 2019


Hi!
I'm testing new version pdns-recursor-4.2.0-0.alpha1.1 .
I set dnssec use mod process.
When I query a record without ad or do flag, I receive the message "Answer to host.com.tw|A for 210.59.165.80:59977 validates as Bogus" .
Under the mode process, isn't this verification done?
Is my understanding wrong?

I am looking forward to your reply.
Best regards
Beck Yeh

Here is my query and trace message
query:
root at PC-24:~# dig  host.com.tw  @103.17.10.61 -p 5301

; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> host.com.tw @103.17.10.61 -p 5301
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 53650
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;host.com.tw.                   IN      A

;; Query time: 31 msec
;; SERVER: 103.17.10.61#5301(103.17.10.61)
;; WHEN: Fri Feb 22 15:02:06 DST 2019
;; MSG SIZE  rcvd: 40

trace:
Feb 22 15:02:06 pdns pdns_recursor: 1 [2/1] question for 'host.com.tw|A' from 210.59.165.80:59977
Feb 22 15:02:06 pdns pdns_recursor: [2] host.com.tw: Wants DNSSEC processing, auth data in query for A
Feb 22 15:02:06 pdns pdns_recursor: [2] host.com.tw: Looking for CNAME cache hit of 'host.com.tw|CNAME'
Feb 22 15:02:06 pdns pdns_recursor: [2] host.com.tw: No CNAME cache hit of 'host.com.tw|CNAME' found
Feb 22 15:02:06 pdns pdns_recursor: [2] host.com.tw: No cache hit for 'host.com.tw|A', trying to find an appropriate NS record
Feb 22 15:02:06 pdns pdns_recursor: [2] : got TA for '.'
Feb 22 15:02:06 pdns pdns_recursor: [2] : setting cut state for . to Secure
Feb 22 15:02:06 pdns pdns_recursor: [2] : - Looking for a cut at tw
Feb 22 15:02:06 pdns pdns_recursor: [2] : no TA found for 'tw' among 1
Feb 22 15:02:06 pdns pdns_recursor: [2]   tw: Wants DNSSEC processing, auth data in query for DS
Feb 22 15:02:06 pdns pdns_recursor: [2]   tw: No cache hit for 'tw|DS', trying to find an appropriate NS record
Feb 22 15:02:06 pdns pdns_recursor: [2] : got status Secure for name tw (from .)
Feb 22 15:02:06 pdns pdns_recursor: [2]   tw: initial validation status for tw is Secure
Feb 22 15:02:06 pdns pdns_recursor: [2]   tw: Cache consultations done, have 1 NS to contact
Feb 22 15:02:06 pdns pdns_recursor: [2]   tw: Domain has hardcoded nameservers
Feb 22 15:02:06 pdns pdns_recursor: [2]   tw.: Nameservers: +168.95.1.1:53(0.00ms), +8.8.8.8:53(1.93ms), +8.8.4.4:53(3.75ms)
Feb 22 15:02:06 pdns pdns_recursor: [2]   tw: Resolved '.' NS (empty) to: 168.95.1.1, 8.8.8.8, 8.8.4.4
Feb 22 15:02:06 pdns pdns_recursor: [2]   tw: Trying IP 168.95.1.1:53, asking 'tw|DS'
Feb 22 15:02:06 pdns pdns_recursor: [2]   tw: Got 3 answers from (empty) (168.95.1.1), rcode=0 (No Error), aa=0, in 1ms
Feb 22 15:02:06 pdns pdns_recursor: [2]   tw: accept answer 'tw|DS|40792 8 2 a05db4b0deb971031361bb621e8bb1b8d7346665a3d1b06ec1431adb7d015ee9' from '.' nameservers? ttl=82724, place=1 YES! - This answer was received from a server we forward to.
Feb 22 15:02:06 pdns pdns_recursor: [2]   tw: accept answer 'tw|RRSIG|DS 8 1 86400 20190307050000 20190222040000 16749 . lTD7WoWovROn6vPEUOhUxYKIoFYY3BXHiEzJbRU11ugFa8PbTpSaUK2S3/61NoJviDBjLgDtcFg6Isp/kcOv+BmjNgM2xLBCVwtwh8juWALyk6Bwt4eJ6GsMeLNfKzr2rtudkXqOu2HkuSGpxZAHvnbeKjBx7VdhmuJ6S60D6uPri8+NrHAUmiCWhLM++XFi9LyV7uAjttwiIhkGo0r1YaLDRoOoOq8Ilq0epp2Yh35NFi8Ns6/USjl3MuhnP7pdYKOkSMBgoVNkxINON2Zz6aE7lkECTOsewcx1anR939RdGLANGxbjZhu94Gq6l3xlYUVGjY2iwaBD3R28uyvqEQ==' from '.' nameservers? ttl=80065, place=1 RRSIG - separate
Feb 22 15:02:06 pdns pdns_recursor: [2]   tw: OPT answer '.' from '.' nameservers
Feb 22 15:02:06 pdns pdns_recursor: [2] : got status Secure for name tw (from .)
Feb 22 15:02:06 pdns pdns_recursor: [2] : got initial zone status Secure for record tw|DS
Feb 22 15:02:06 pdns pdns_recursor: [2] Validating non-additional record for tw
Feb 22 15:02:06 pdns pdns_recursor: [2] Retrieving DNSKeys for .
Feb 22 15:02:06 pdns pdns_recursor: [2]    .: Wants DNSSEC processing, auth data in query for DNSKEY
Feb 22 15:02:06 pdns pdns_recursor: [2]    .: Found cache hit for DNSKEY: 256 3 8 AwEAAcH+axCdUOsTc9o+jmyVq5rsGTh1EcatSumPqEfsPBT+whyj0/UhD7cWeixV9Wqzj/cnqs8iWELqhdzGX41ZtaNQUfWNfOriASnWmX2D9m/EunplHu8nMSlDnDcT7+llE9tjk5HI1Sr7d9N16ZTIrbVALf65VB2ABbBG39dyAb7tz21PICJbSp2cd77UF7NFqEVkqohl/LkDw+7Apalmp0qAQT1Mgwi2cVxZMKUiciA6EqS+KNajf0A6olO2oEhZnGGY6b1LTg34/YfHdiIIZQqAfqbieruCGHRiSscC2ZE7iNreL/76f4JyIEUNkt6bQA29JsegxorLzQkpF7NKqZc=[ttl=86392] 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=[ttl=86392] 385 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=[ttl=86392]
Feb 22 15:02:06 pdns pdns_recursor: [2]    .: updating validation state with cache content for . to Secure
Feb 22 15:02:06 pdns pdns_recursor: [2] Retrieved 3 DNSKeys for ., state is Secure
Feb 22 15:02:06 pdns pdns_recursor: [2] Going to validate 1 record contents with 1 sigs and 3 keys for tw
Feb 22 15:02:06 pdns pdns_recursor: [2] Secure!
Feb 22 15:02:06 pdns pdns_recursor: [2]   tw: determining status after receiving this packet
Feb 22 15:02:06 pdns pdns_recursor: [2]   tw: answer is in: resolved to '40792 8 2 a05db4b0deb971031361bb621e8bb1b8d7346665a3d1b06ec1431adb7d015ee9|DS'
Feb 22 15:02:06 pdns pdns_recursor: [2]   tw: status=got results, this level of recursion done
Feb 22 15:02:06 pdns pdns_recursor: [2]   tw: validation status is Secure
Feb 22 15:02:06 pdns pdns_recursor: [2] : - Found cut at tw
Feb 22 15:02:06 pdns pdns_recursor: [2] : New state for tw is Secure
Feb 22 15:02:06 pdns pdns_recursor: [2] : - Looking for a cut at com.tw
Feb 22 15:02:06 pdns pdns_recursor: [2] : no TA found for 'com.tw' among 1
Feb 22 15:02:06 pdns pdns_recursor: [2]   com.tw: Wants DNSSEC processing, auth data in query for DS
Feb 22 15:02:06 pdns pdns_recursor: [2]   com.tw: No cache hit for 'com.tw|DS', trying to find an appropriate NS record
Feb 22 15:02:06 pdns pdns_recursor: [2] : got status Secure for name com.tw (from tw)
Feb 22 15:02:06 pdns pdns_recursor: [2]   com.tw: initial validation status for com.tw is Secure
Feb 22 15:02:06 pdns pdns_recursor: [2]   com.tw: Cache consultations done, have 1 NS to contact
Feb 22 15:02:06 pdns pdns_recursor: [2]   com.tw: Domain has hardcoded nameservers
Feb 22 15:02:06 pdns pdns_recursor: [2]   com.tw.: Nameservers: +168.95.1.1:53(1.85ms), +8.8.8.8:53(1.93ms), +8.8.4.4:53(3.75ms)
Feb 22 15:02:06 pdns pdns_recursor: [2]   com.tw: Resolved '.' NS (empty) to: 168.95.1.1, 8.8.8.8, 8.8.4.4
Feb 22 15:02:06 pdns pdns_recursor: [2]   com.tw: Trying IP 168.95.1.1:53, asking 'com.tw|DS'
Feb 22 15:02:06 pdns pdns_recursor: [2]   com.tw: Got 3 answers from (empty) (168.95.1.1), rcode=0 (No Error), aa=0, in 1ms
Feb 22 15:02:06 pdns pdns_recursor: [2]   com.tw: accept answer 'com.tw|DS|27301 8 2 2609ccd46428fca06f52f7e4488f329f494d9eb34aa60f632164e56094572555' from '.' nameservers? ttl=1996, place=1 YES! - This answer was received from a server we forward to.
Feb 22 15:02:06 pdns pdns_recursor: [2]   com.tw: accept answer 'com.tw|RRSIG|DS 8 2 3600 20190323200352 20190221200352 3984 tw. nEx8drGSbAyBx76vAMUPmcaNlzLCdL5hXAsDd+vYnNeQAuj7F5C+Y3ZXckqJerCRu6+sauguIHg38RD5ud+3EN369fnKv7tUHsuvXRa1458ywR/9lCrECaixG2OGTCaE9wbCEh48am2SULCFgaqkqNNyyuzDQ1G9u2fCzr7DY3s=' from '.' nameservers? ttl=1996, place=1 RRSIG - separate
Feb 22 15:02:06 pdns pdns_recursor: [2]   com.tw: OPT answer '.' from '.' nameservers
Feb 22 15:02:06 pdns pdns_recursor: [2] : got status Secure for name com.tw (from tw)
Feb 22 15:02:06 pdns pdns_recursor: [2] : got initial zone status Secure for record com.tw|DS
Feb 22 15:02:06 pdns pdns_recursor: [2] Validating non-additional record for com.tw
Feb 22 15:02:06 pdns pdns_recursor: [2] Retrieving DNSKeys for tw
Feb 22 15:02:06 pdns pdns_recursor: [2]    tw: Wants DNSSEC processing, auth data in query for DNSKEY
Feb 22 15:02:06 pdns pdns_recursor: [2]    tw: No cache hit for 'tw|DNSKEY', trying to find an appropriate NS record
Feb 22 15:02:06 pdns pdns_recursor: [2] : got status Secure for name tw (from tw)
Feb 22 15:02:06 pdns pdns_recursor: [2]    tw: initial validation status for tw is Secure
Feb 22 15:02:06 pdns pdns_recursor: [2]    tw: Cache consultations done, have 1 NS to contact
Feb 22 15:02:06 pdns pdns_recursor: [2]    tw: Domain has hardcoded nameservers
Feb 22 15:02:06 pdns pdns_recursor: [2]    tw.: Nameservers: +168.95.1.1:53(1.82ms), +8.8.8.8:53(1.93ms), +8.8.4.4:53(3.75ms)
Feb 22 15:02:06 pdns pdns_recursor: [2]    tw: Resolved '.' NS (empty) to: 168.95.1.1, 8.8.8.8, 8.8.4.4
Feb 22 15:02:06 pdns pdns_recursor: [2]    tw: Trying IP 168.95.1.1:53, asking 'tw|DNSKEY'
Feb 22 15:02:06 pdns pdns_recursor: [2]    tw: Got 6 answers from (empty) (168.95.1.1), rcode=0 (No Error), aa=0, in 1ms
Feb 22 15:02:06 pdns pdns_recursor: [2]    tw: accept answer 'tw|DNSKEY|257 3 8 AwEAAbqKQoLe6EipQMR3lmj8AhT3hCdndp9BXfQbpkUQFux1oGTnqGn224KC5Y/6TCV0kVufHeV6CTOolbEVhpQNrxc7uS+yDi/7Qg2tQHWJ0Yp5feDf8/BoV4bSdX4bCWYt2A0TplmkwG15aQaRx3cqxaMBSlaIfcj/+3tvZ016jBwL1YJtjAVttwFnwvPJKy9b256t/JFkvLrzX6rKA4Qkvc9JZdIRTDZ4CN5aww/nYwH018VUEo1DZOTkWPCd5toi5BcqZctXw/k+Pb8rT95pG0h3AP12Sl5BFxh4mvh7KKNZG6oykvqQtPVvGotaPkLSwwAspjzMR3UtkxCG8TW9J2c=' from '.' nameservers? ttl=799, place=1 YES! - This answer was received from a server we forward to.
Feb 22 15:02:06 pdns pdns_recursor: [2]    tw: accept answer 'tw|DNSKEY|256 3 8 AwEAAdfkWkg/gMwTvlxxidm6qWS+BAsnt9FewxrtpEqQkSAYyjKVHjj0Zvx967yIZ0QPUPbghCXERMDlCcRHAk36xpu5etcAJYzePmnMqRT4Tl4uBrAf7Ui/Haqn/oqn5BiNwSLWrNWogXFfYYqL5dCKCzxK9UNXuHqJLka+WxVnYfWv' from '.' nameservers? ttl=799, place=1 YES! - This answer was received from a server we forward to.
Feb 22 15:02:06 pdns pdns_recursor: [2]    tw: accept answer 'tw|DNSKEY|256 3 8 AwEAAeuu15yGn4KnrF6NmwR4PzJEIHmTy3WTiG74CsG/5Ig1kR8fLJyXc4q20upO0MN0kod/DJXgOalHe0dKxZaCxU5y1iO9T97oQB7eFLjM2rSvo543X5DDK7HNQfWK1JW/drbkmKI7zT8w45Wcawka/pWFh1PzxOYfwxqKJUkhbBW1' from '.' nameservers? ttl=799, place=1 YES! - This answer was received from a server we forward to.
Feb 22 15:02:06 pdns pdns_recursor: [2]    tw: accept answer 'tw|RRSIG|DNSKEY 8 1 900 20190323200352 20190221200352 3984 tw. VXQuTtYNkjQjI7dcb2fhZzI/qtP7rdzjuUgAEYL5W3GZHKDbJqu88O3RZ4WW92u/mRQeYbgqC6KowGhR+D+MXGhcwvJ9Aff0RjhtKhrt1cUh2rxAl1TliZOHOyUPpx67R9fLwAG0LHjUiYXn2kwbXGJWOrO5NB0NI3ENU9EUS6o=' from '.' nameservers? ttl=799, place=1 RRSIG - separate
Feb 22 15:02:06 pdns pdns_recursor: [2]    tw: accept answer 'tw|RRSIG|DNSKEY 8 1 900 20190323200352 20190221200352 40792 tw. TauxgYPHj65A4XP7eJUVdHI3snLf6lwrhVRCLkK0zS1JT6Iif1AAeIQ6AjupRIkaZ8hgOe6OjtNg8OSH5WMQSifdchSZ5BNR5tTIir5JDnepL/0+Kmaun344ZJZ/57kuOenfnnvYMaYjuOIZso3eHK8wlB4qIbEyUlh+H6mpGVJ7gqn5LiiwIXPcQ0BYzG4inqrmvGr/ltzCLz3on1U4pyxcyMbggr8cphCiCwvEhrGA9CPwnCyvz12O71P/gXT4CATyrLWctaTRHZMW1UmnnzpuiHYKgD4lFW+nGAHBd7jbfODjhMXjmMW0IHCOisPFuAS+2imaYwTf1fgnzgvfxQ==' from '.' nameservers? ttl=799, place=1 RRSIG - separate
Feb 22 15:02:06 pdns pdns_recursor: [2]    tw: OPT answer '.' from '.' nameservers
Feb 22 15:02:06 pdns pdns_recursor: [2] : got status Secure for name tw (from tw)
Feb 22 15:02:06 pdns pdns_recursor: [2] : got initial zone status Secure for record tw|DNSKEY
Feb 22 15:02:06 pdns pdns_recursor: [2] Validating DNSKEY for tw
Feb 22 15:02:06 pdns pdns_recursor: [2] : no TA found for 'tw' among 1
Feb 22 15:02:06 pdns pdns_recursor: [2]     tw: Wants DNSSEC processing, auth data in query for DS
Feb 22 15:02:06 pdns pdns_recursor: [2]     tw: Found cache hit for DS: 40792 8 2 a05db4b0deb971031361bb621e8bb1b8d7346665a3d1b06ec1431adb7d015ee9[ttl=80065]
Feb 22 15:02:06 pdns pdns_recursor: [2]     tw: updating validation state with cache content for tw to Secure
Feb 22 15:02:06 pdns pdns_recursor: [2] : trying to validate 3 DNSKEYs with 1 DS
Feb 22 15:02:06 pdns pdns_recursor: [2] : we now have 3 DNSKEYs
Feb 22 15:02:06 pdns pdns_recursor: [2]    tw: determining status after receiving this packet
Feb 22 15:02:06 pdns pdns_recursor: [2]    tw: answer is in: resolved to '257 3 8 AwEAAbqKQoLe6EipQMR3lmj8AhT3hCdndp9BXfQbpkUQFux1oGTnqGn224KC5Y/6TCV0kVufHeV6CTOolbEVhpQNrxc7uS+yDi/7Qg2tQHWJ0Yp5feDf8/BoV4bSdX4bCWYt2A0TplmkwG15aQaRx3cqxaMBSlaIfcj/+3tvZ016jBwL1YJtjAVttwFnwvPJKy9b256t/JFkvLrzX6rKA4Qkvc9JZdIRTDZ4CN5aww/nYwH018VUEo1DZOTkWPCd5toi5BcqZctXw/k+Pb8rT95pG0h3AP12Sl5BFxh4mvh7KKNZG6oykvqQtPVvGotaPkLSwwAspjzMR3UtkxCG8TW9J2c=|DNSKEY'
Feb 22 15:02:06 pdns pdns_recursor: [2]    tw: answer is in: resolved to '256 3 8 AwEAAdfkWkg/gMwTvlxxidm6qWS+BAsnt9FewxrtpEqQkSAYyjKVHjj0Zvx967yIZ0QPUPbghCXERMDlCcRHAk36xpu5etcAJYzePmnMqRT4Tl4uBrAf7Ui/Haqn/oqn5BiNwSLWrNWogXFfYYqL5dCKCzxK9UNXuHqJLka+WxVnYfWv|DNSKEY'
Feb 22 15:02:06 pdns pdns_recursor: [2]    tw: answer is in: resolved to '256 3 8 AwEAAeuu15yGn4KnrF6NmwR4PzJEIHmTy3WTiG74CsG/5Ig1kR8fLJyXc4q20upO0MN0kod/DJXgOalHe0dKxZaCxU5y1iO9T97oQB7eFLjM2rSvo543X5DDK7HNQfWK1JW/drbkmKI7zT8w45Wcawka/pWFh1PzxOYfwxqKJUkhbBW1|DNSKEY'
Feb 22 15:02:06 pdns pdns_recursor: [2]    tw: status=got results, this level of recursion done
Feb 22 15:02:06 pdns pdns_recursor: [2]    tw: validation status is Secure
Feb 22 15:02:06 pdns pdns_recursor: [2] Retrieved 3 DNSKeys for tw, state is Secure
Feb 22 15:02:06 pdns pdns_recursor: [2] Going to validate 1 record contents with 1 sigs and 3 keys for com.tw
Feb 22 15:02:06 pdns pdns_recursor: [2] Secure!
Feb 22 15:02:06 pdns pdns_recursor: [2]   com.tw: determining status after receiving this packet
Feb 22 15:02:06 pdns pdns_recursor: [2]   com.tw: answer is in: resolved to '27301 8 2 2609ccd46428fca06f52f7e4488f329f494d9eb34aa60f632164e56094572555|DS'
Feb 22 15:02:06 pdns pdns_recursor: [2]   com.tw: status=got results, this level of recursion done
Feb 22 15:02:06 pdns pdns_recursor: [2]   com.tw: validation status is Secure
Feb 22 15:02:06 pdns pdns_recursor: [2] : - Found cut at com.tw
Feb 22 15:02:06 pdns pdns_recursor: [2] : New state for com.tw is Secure
Feb 22 15:02:06 pdns pdns_recursor: [2] : - Looking for a cut at host.com.tw
Feb 22 15:02:06 pdns pdns_recursor: [2] : no TA found for 'host.com.tw' among 1
Feb 22 15:02:06 pdns pdns_recursor: [2]   host.com.tw: Wants DNSSEC processing, auth data in query for DS
Feb 22 15:02:06 pdns pdns_recursor: [2]   host.com.tw: No cache hit for 'host.com.tw|DS', trying to find an appropriate NS record
Feb 22 15:02:06 pdns pdns_recursor: [2] : got status Secure for name host.com.tw (from com.tw)
Feb 22 15:02:06 pdns pdns_recursor: [2]   host.com.tw: initial validation status for host.com.tw is Secure
Feb 22 15:02:06 pdns pdns_recursor: [2]   host.com.tw: Cache consultations done, have 1 NS to contact
Feb 22 15:02:06 pdns pdns_recursor: [2]   host.com.tw: Domain has hardcoded nameservers
Feb 22 15:02:06 pdns pdns_recursor: [2]   host.com.tw.: Nameservers: +168.95.1.1:53(1.85ms), +8.8.8.8:53(1.93ms), +8.8.4.4:53(3.75ms)
Feb 22 15:02:06 pdns pdns_recursor: [2]   host.com.tw: Resolved '.' NS (empty) to: 168.95.1.1, 8.8.8.8, 8.8.4.4
Feb 22 15:02:06 pdns pdns_recursor: [2]   host.com.tw: Trying IP 168.95.1.1:53, asking 'host.com.tw|DS'
Feb 22 15:02:06 pdns pdns_recursor: [2]   host.com.tw: (empty) (168.95.1.1) returned a ServFail, trying sibling IP or NS
Feb 22 15:02:06 pdns pdns_recursor: [2]   host.com.tw: Trying IP 8.8.8.8:53, asking 'host.com.tw|DS'
Feb 22 15:02:06 pdns pdns_recursor: [2]   host.com.tw: Got 5 answers from (empty) (8.8.8.8), rcode=0 (No Error), aa=0, in 7ms
Feb 22 15:02:06 pdns pdns_recursor: [2]   host.com.tw: accept answer '1COLL71DTTC8MTNUCJO7BH45HJ8SQMIF.com.tw|NSEC3|1 1 10 23411313 24TVGFEHEMFCUJ2DNJQFQAJ20LKI0M1N NS SOA RRSIG DNSKEY NSEC3PARAM' from '.' nameservers? ttl=899, place=2 YES! - This answer was received from a server we forward to.
Feb 22 15:02:06 pdns pdns_recursor: [2]   host.com.tw: accept answer '1COLL71DTTC8MTNUCJO7BH45HJ8SQMIF.com.tw|RRSIG|NSEC3 8 3 900 20190324040029 20190222040029 35688 com.tw. D3CmOqodDKFZyh905RBpmY1Og+Xka3slBtpn/e2vXHjg3tTzn5fPpcF96CEn9r2QH+n0pkQb01UFBiRRl6zYs91moK6W2Nshl5Kke2X0/ex74Qlkf1CSrPIJu85xxQSI2kYl+lo8Pzp16SrGfR0spugJuMbRdqFHA2KpJ45mL0A=' from '.' nameservers? ttl=899, place=2 RRSIG - separate
Feb 22 15:02:06 pdns pdns_recursor: [2]   host.com.tw: accept answer 'com.tw|SOA|a.twnic.net.tw. snw.twnic.net.tw. 2005679621 3600 900 604800 900' from '.' nameservers? ttl=899, place=2 YES! - This answer was received from a server we forward to.
Feb 22 15:02:06 pdns pdns_recursor: [2]   host.com.tw: accept answer 'com.tw|RRSIG|SOA 8 2 900 20190324062626 20190222052626 35688 com.tw. na1smYUQbO1HtMsov+cCT2Gm05N+5j6GGVJ5vuPeQNQdhvTNlOwZWwMYaBp91Vslj37tY3l03GKNucbk2yA8Wf5EGvcMfKgDfVZ9CGhtDAWDzmfnfDYnFw4utMDzf+YwLRIrNP1EFy2J6DWEZG/a6hKSmbzGF7YhU6Oc18m5vWM=' from '.' nameservers? ttl=899, place=2 RRSIG - separate
Feb 22 15:02:06 pdns pdns_recursor: [2]   host.com.tw: OPT answer '.' from '.' nameservers
Feb 22 15:02:06 pdns pdns_recursor: [2] : got status Secure for name com.tw (from com.tw)
Feb 22 15:02:06 pdns pdns_recursor: [2] : got initial zone status Secure for record com.tw|SOA
Feb 22 15:02:06 pdns pdns_recursor: [2] Validating non-additional record for com.tw
Feb 22 15:02:06 pdns pdns_recursor: [2] Retrieving DNSKeys for com.tw
Feb 22 15:02:06 pdns pdns_recursor: [2]    com.tw: Wants DNSSEC processing, auth data in query for DNSKEY
Feb 22 15:02:06 pdns pdns_recursor: [2]    com.tw: No cache hit for 'com.tw|DNSKEY', trying to find an appropriate NS record
Feb 22 15:02:06 pdns pdns_recursor: [2] : got status Secure for name com.tw (from com.tw)
Feb 22 15:02:06 pdns pdns_recursor: [2]    com.tw: initial validation status for com.tw is Secure
Feb 22 15:02:06 pdns pdns_recursor: [2]    com.tw: Cache consultations done, have 1 NS to contact
Feb 22 15:02:06 pdns pdns_recursor: [2]    com.tw: Domain has hardcoded nameservers
Feb 22 15:02:06 pdns pdns_recursor: [2]    com.tw.: Nameservers: +168.95.1.1:53(1.85ms), +8.8.4.4:53(3.75ms), +8.8.8.8:53(7.88ms)
Feb 22 15:02:06 pdns pdns_recursor: [2]    com.tw: Resolved '.' NS (empty) to: 168.95.1.1, 8.8.4.4, 8.8.8.8
Feb 22 15:02:06 pdns pdns_recursor: [2]    com.tw: Trying IP 168.95.1.1:53, asking 'com.tw|DNSKEY'
Feb 22 15:02:06 pdns pdns_recursor: [2]    com.tw: Got 4 answers from (empty) (168.95.1.1), rcode=0 (No Error), aa=0, in 2ms
Feb 22 15:02:06 pdns pdns_recursor: [2]    com.tw: accept answer 'com.tw|DNSKEY|256 3 8 AwEAAbLjjXxea1vg0Uy6kS3oswfx/SXvMFHnFea1yS6m9W3AYqO8FSeEceYk0qgNP5UfQk/AIbETdE6mXkLmbhRJ1agoGrtd9DN1o+8tiJtNay0syhZVS2C8MGeuok4tKDqFoUfn/XcD9voSGwVUfqrZnuLMWsCcyIkMFmQK6rqDHXfn' from '.' nameservers? ttl=900, place=1 YES! - This answer was received from a server we forward to.
Feb 22 15:02:06 pdns pdns_recursor: [2]    com.tw: accept answer 'com.tw|DNSKEY|257 3 8 AwEAAdAbPDWze/QD9LDIQSluNK3beJ3ILMg2amws0NJWapkzDE+TAc3VibXpMMxvgkhXePMrJZXEYIuCDr3SPjdqXJ0rWdXny1ac78dUSG6UYW8o6ltS4YFLA81XFSK2H64GA3U2+OAsNlZ2FsEWZhPlD2DEeGj+Cus01LB8XG9JazCpG5V65kUja1GADMbxmWnFESylpcj1bugpZjYJU2nBDtTkgUScHENNcQmmIpLjdWyNEYrdxAXhpdCRxMygMcHoSsSX89kDk7x9TDl/zgY6fjUstJ/lubv/CIElk4RL6Eg/ve9k1GI0tRn8HGYfKNovCdQMO1dIHvy1RjJU85kL+OE=' from '.' nameservers? ttl=900, place=1 YES! - This answer was received from a server we forward to.
Feb 22 15:02:06 pdns pdns_recursor: [2]    com.tw: accept answer 'com.tw|DNSKEY|256 3 8 AwEAAeOWJqzM/ezqUez9FrKvBzjLwQhsXM1yjhehtqXh+LiIYHoT8maHsTUseZHaPkJZ7rw7JS3Py4s8h5w3usOHumivzZkXWXMiEeH7N28IOpeTD7YhxiIh9DAh7sPKPJ+p9eRbmSckVGFJOCk1AkD3/3C8gKy8Dtfj3O7Md2sGo9+1' from '.' nameservers? ttl=900, place=1 YES! - This answer was received from a server we forward to.
Feb 22 15:02:06 pdns pdns_recursor: [2]    com.tw: OPT answer '.' from '.' nameservers
Feb 22 15:02:06 pdns pdns_recursor: [2] : got status Secure for name com.tw (from com.tw)
Feb 22 15:02:06 pdns pdns_recursor: [2] : got initial zone status Secure for record com.tw|DNSKEY
Feb 22 15:02:06 pdns pdns_recursor: [2] Validating DNSKEY for com.tw
Feb 22 15:02:06 pdns pdns_recursor: [2] : trying to validate 3 DNSKEYs with 0 DS
Feb 22 15:02:06 pdns pdns_recursor: [2] : we now have 0 DNSKEYs
Feb 22 15:02:06 pdns pdns_recursor: [2] : returning Bogus state from validateDNSKeys(com.tw)
Feb 22 15:02:06 pdns pdns_recursor: [2] validation state was Secure, state update is Bogus, validation state is now Bogus
Feb 22 15:02:06 pdns pdns_recursor: [2]    com.tw: determining status after receiving this packet
Feb 22 15:02:06 pdns pdns_recursor: [2]    com.tw: answer is in: resolved to '256 3 8 AwEAAbLjjXxea1vg0Uy6kS3oswfx/SXvMFHnFea1yS6m9W3AYqO8FSeEceYk0qgNP5UfQk/AIbETdE6mXkLmbhRJ1agoGrtd9DN1o+8tiJtNay0syhZVS2C8MGeuok4tKDqFoUfn/XcD9voSGwVUfqrZnuLMWsCcyIkMFmQK6rqDHXfn|DNSKEY'
Feb 22 15:02:06 pdns pdns_recursor: [2]    com.tw: answer is in: resolved to '257 3 8 AwEAAdAbPDWze/QD9LDIQSluNK3beJ3ILMg2amws0NJWapkzDE+TAc3VibXpMMxvgkhXePMrJZXEYIuCDr3SPjdqXJ0rWdXny1ac78dUSG6UYW8o6ltS4YFLA81XFSK2H64GA3U2+OAsNlZ2FsEWZhPlD2DEeGj+Cus01LB8XG9JazCpG5V65kUja1GADMbxmWnFESylpcj1bugpZjYJU2nBDtTkgUScHENNcQmmIpLjdWyNEYrdxAXhpdCRxMygMcHoSsSX89kDk7x9TDl/zgY6fjUstJ/lubv/CIElk4RL6Eg/ve9k1GI0tRn8HGYfKNovCdQMO1dIHvy1RjJU85kL+OE=|DNSKEY'
Feb 22 15:02:06 pdns pdns_recursor: [2]    com.tw: answer is in: resolved to '256 3 8 AwEAAeOWJqzM/ezqUez9FrKvBzjLwQhsXM1yjhehtqXh+LiIYHoT8maHsTUseZHaPkJZ7rw7JS3Py4s8h5w3usOHumivzZkXWXMiEeH7N28IOpeTD7YhxiIh9DAh7sPKPJ+p9eRbmSckVGFJOCk1AkD3/3C8gKy8Dtfj3O7Md2sGo9+1|DNSKEY'
Feb 22 15:02:06 pdns pdns_recursor: [2]    com.tw: status=got results, this level of recursion done
Feb 22 15:02:06 pdns pdns_recursor: [2]    com.tw: validation status is Bogus
Feb 22 15:02:06 pdns pdns_recursor: [2] Retrieved 0 DNSKeys for com.tw, state is Bogus
Feb 22 15:02:06 pdns pdns_recursor: [2] validation state was Secure, state update is Bogus, validation state is now Bogus
Feb 22 15:02:06 pdns pdns_recursor: [2] : got status Secure for name 1COLL71DTTC8MTNUCJO7BH45HJ8SQMIF.com.tw (from com.tw)
Feb 22 15:02:06 pdns pdns_recursor: [2] : got initial zone status Secure for record 1COLL71DTTC8MTNUCJO7BH45HJ8SQMIF.com.tw|NSEC3
Feb 22 15:02:06 pdns pdns_recursor: [2] Validating non-additional record for 1COLL71DTTC8MTNUCJO7BH45HJ8SQMIF.com.tw
Feb 22 15:02:06 pdns pdns_recursor: [2] Retrieving DNSKeys for com.tw
Feb 22 15:02:06 pdns pdns_recursor: [2]    com.tw: Wants DNSSEC processing, auth data in query for DNSKEY
Feb 22 15:02:06 pdns pdns_recursor: [2]    com.tw: Found cache hit for DNSKEY: 256 3 8 AwEAAbLjjXxea1vg0Uy6kS3oswfx/SXvMFHnFea1yS6m9W3AYqO8FSeEceYk0qgNP5UfQk/AIbETdE6mXkLmbhRJ1agoGrtd9DN1o+8tiJtNay0syhZVS2C8MGeuok4tKDqFoUfn/XcD9voSGwVUfqrZnuLMWsCcyIkMFmQK6rqDHXfn[ttl=900] 257 3 8 AwEAAdAbPDWze/QD9LDIQSluNK3beJ3ILMg2amws0NJWapkzDE+TAc3VibXpMMxvgkhXePMrJZXEYIuCDr3SPjdqXJ0rWdXny1ac78dUSG6UYW8o6ltS4YFLA81XFSK2H64GA3U2+OAsNlZ2FsEWZhPlD2DEeGj+Cus01LB8XG9JazCpG5V65kUja1GADMbxmWnFESylpcj1bugpZjYJU2nBDtTkgUScHENNcQmmIpLjdWyNEYrdxAXhpdCRxMygMcHoSsSX89kDk7x9TDl/zgY6fjUstJ/lubv/CIElk4RL6Eg/ve9k1GI0tRn8HGYfKNovCdQMO1dIHvy1RjJU85kL+OE=[ttl=900] 256 3 8 AwEAAeOWJqzM/ezqUez9FrKvBzjLwQhsXM1yjhehtqXh+LiIYHoT8maHsTUseZHaPkJZ7rw7JS3Py4s8h5w3usOHumivzZkXWXMiEeH7N28IOpeTD7YhxiIh9DAh7sPKPJ+p9eRbmSckVGFJOCk1AkD3/3C8gKy8Dtfj3O7Md2sGo9+1[ttl=900]
Feb 22 15:02:06 pdns pdns_recursor: [2]    com.tw: updating validation state with cache content for com.tw to Bogus
Feb 22 15:02:06 pdns pdns_recursor: [2] Retrieved 0 DNSKeys for com.tw, state is Bogus
Feb 22 15:02:06 pdns pdns_recursor: [2]   host.com.tw: determining status after receiving this packet
Feb 22 15:02:06 pdns pdns_recursor: [2]   host.com.tw: got negative caching indication for 'host.com.tw|DS'
Feb 22 15:02:06 pdns pdns_recursor: [2]   host.com.tw: status=noerror, other types may exist, but we are done (have negative SOA)
Feb 22 15:02:06 pdns pdns_recursor: [2] host.com.tw: removing cut state for host.com.tw
Feb 22 15:02:06 pdns pdns_recursor: [2] : list of cuts from host.com.tw to .
Feb 22 15:02:06 pdns pdns_recursor: - .: Secure
Feb 22 15:02:06 pdns pdns_recursor: - tw: Secure
Feb 22 15:02:06 pdns pdns_recursor: - com.tw: Secure
Feb 22 15:02:06 pdns pdns_recursor: [2] : got status Secure for name host.com.tw (from com.tw)
Feb 22 15:02:06 pdns pdns_recursor: [2] host.com.tw: initial validation status for host.com.tw is Secure
Feb 22 15:02:06 pdns pdns_recursor: [2] host.com.tw: Cache consultations done, have 1 NS to contact
Feb 22 15:02:06 pdns pdns_recursor: [2] host.com.tw: Domain has hardcoded nameservers
Feb 22 15:02:06 pdns pdns_recursor: [2] host.com.tw.: Nameservers: +168.95.1.1:53(2.36ms), +8.8.4.4:53(3.75ms), +8.8.8.8:53(7.88ms)
Feb 22 15:02:06 pdns pdns_recursor: [2] host.com.tw: Resolved '.' NS (empty) to: 168.95.1.1, 8.8.4.4, 8.8.8.8
Feb 22 15:02:06 pdns pdns_recursor: [2] host.com.tw: Trying IP 168.95.1.1:53, asking 'host.com.tw|A'
Feb 22 15:02:06 pdns pdns_recursor: [2] host.com.tw: Got 2 answers from (empty) (168.95.1.1), rcode=0 (No Error), aa=0, in 4ms
Feb 22 15:02:06 pdns pdns_recursor: [2] host.com.tw: accept answer 'host.com.tw|A|202.12.77.10' from '.' nameservers? ttl=300, place=1 YES! - This answer was received from a server we forward to.
Feb 22 15:02:06 pdns pdns_recursor: [2] host.com.tw: OPT answer '.' from '.' nameservers
Feb 22 15:02:06 pdns pdns_recursor: [2] : got status Secure for name host.com.tw (from com.tw)
Feb 22 15:02:06 pdns pdns_recursor: [2] : got initial zone status Secure for record host.com.tw|A
Feb 22 15:02:07 pdns pdns_recursor: [2] Validating non-additional record for host.com.tw
Feb 22 15:02:07 pdns pdns_recursor: [2] Bogus!
Feb 22 15:02:07 pdns pdns_recursor: [2] validation state was Secure, state update is Bogus, validation state is now Bogus
Feb 22 15:02:07 pdns pdns_recursor: [2] host.com.tw: determining status after receiving this packet
Feb 22 15:02:07 pdns pdns_recursor: [2] host.com.tw: answer is in: resolved to '202.12.77.10|A'
Feb 22 15:02:07 pdns pdns_recursor: [2] host.com.tw: status=got results, this level of recursion done
Feb 22 15:02:07 pdns pdns_recursor: [2] host.com.tw: validation status is Bogus
Feb 22 15:02:07 pdns pdns_recursor: Starting validation of answer to host.com.tw|A for 210.59.165.80:59977
Feb 22 15:02:07 pdns pdns_recursor: Answer to host.com.tw|A for 210.59.165.80:59977 validates as Bogus
Feb 22 15:02:07 pdns pdns_recursor: Sending out SERVFAIL for host.com.tw|A because recursor or query demands it for Bogus results

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20190305/825f0341/attachment-0001.html>


More information about the Pdns-users mailing list