[Pdns-users] Recursor: Response looses AD flag if Lua script hook returns true

Pieter Lexis pieter.lexis at powerdns.com
Mon Mar 30 09:05:33 UTC 2020

Hi Simon,

On 3/28/20 5:34 PM, Simon Erhardt via Pdns-users wrote:
> We use PowerDNS Recursor to intercept certain lookups and return values
> from a database instead. Therefore we use the Luad scripting capability.
> Now we noticed that requests with DNSSEC lose the set AD flag when a
> hook in the script of the request is marked as "handled" (by returning
> "true"). I don't know if this by design (which I can imagine), or if we
> are missing something.

Once the post-resolve hook indicated it 'took' the query (by returning
true), the recursor can not guarantee that the answer is unaltered or no
records are inserted. This is why the recursor *always* clears the
DNSSEC validation state when a `true` is returned.

As `postresolve` is called *after* resolution and validation has already
happened, PowerDNS won't revalidate. To ensure it does not lie to the
clients, the AD bit is never set [1].

I hope this clears up the confusion.

Best regards,


1 -

Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com

More information about the Pdns-users mailing list