[Pdns-users] recursor is giving conflicting results for /etc/hosts entries

Remi Gacogne remi.gacogne at powerdns.com
Sat Jan 4 17:43:51 UTC 2020

Hi Mike,

On 1/4/20 6:39 PM, Mike wrote:

> I hate replying to my own message, but...
>     The culprit was 'dnssec=validate'. Stupid me. Recursor is doing what
> I told it to do, and there's no way for it dnssec validate etc/hosts
> supplied entries.
>     There still is the open question why it seems the first query would
> be responded to with the data in question, perhaps that is some other
> network issue (we anycast our resolvers).
>     The next question would be - is there any way to specify 'dont
> dnssec validate entries loaded from etc/hosts', or perhaps this would be
> a job better suited to a lua script (which I am not up to speed on)?

I believe you are looking for addNTA(), see [1].

[1]: https://docs.powerdns.com/recursor/dnssec.html#negative-trust-anchors

Best regards,
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20200104/fdd598cb/attachment.sig>

More information about the Pdns-users mailing list