[Pdns-users] DNSSEC error
Martin Kellermann
kellermann at sk-datentechnik.com
Fri Aug 18 09:38:53 UTC 2023
DNSSEC seems to be fine:
https://dnsviz.net/d/uni-wh.de/dnssec/
https://dnssec-analyzer.verisignlabs.com/uni-wh.de
Von: Pdns-users <pdns-users-bounces at mailman.powerdns.com> Im Auftrag von Huber, Peter via Pdns-users
Gesendet: Freitag, 18. August 2023 11:13
An: All about using and deploying powerdns <pdns-users at mailman.powerdns.com>
Cc: Huber, Peter <peter.huber at uni-wh.de>
Betreff: Re: [Pdns-users] DNSSEC error
Thank you, I understand, that our server is not authoritative for .de. bur it seems our zone is no longer signed, but it was signed in the past. Do I have to resign uni-wh.de? How can this disappear?
dig @127.0.0.1 dmz6.uni-wh.de. rrsig
; <<>> DiG 9.18.12-0ubuntu0.22.04.2-Ubuntu <<>> @127.0.0.1 dmz6.uni-wh.de. rrsig
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 51126
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;dmz6.uni-wh.de. IN RRSIG
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Fri Aug 18 11:07:37 CEST 2023
;; MSG SIZE rcvd: 43
Von: Brian Candler <b.candler at pobox.com<mailto:b.candler at pobox.com>>
Gesendet: Freitag, 18. August 2023 10:15
An: All about using and deploying powerdns <pdns-users at mailman.powerdns.com<mailto:pdns-users at mailman.powerdns.com>>
Cc: Huber, Peter <peter.huber at uni-wh.de<mailto:peter.huber at uni-wh.de>>
Betreff: Re: [Pdns-users] DNSSEC error
On 18/08/2023 08:53, Huber, Peter via Pdns-users wrote:
i have strange thing using the pdns resolver. My domain uni-wh.de was ok for a long time, now there seems to be a DNSSEC problem and I don’t know where this comes from, nor how to fix this.
What I am testing:
delv @193.175.243.110 uni-wh.de
You say the problem is with a "pdns resolver", but 193.175.243.110 is an authoritative server, not a recursor.
From the error output you gave, it looks like you're using a tool which wants to talk to a recursor:
;; chase DS servers resolving 'uni-wh.de/DS/IN': 193.175.243.110#53
;; REFUSED unexpected RCODE resolving 'de/NS/IN': 193.175.243.110#53
;; REFUSED unexpected RCODE resolving './NS/IN': 193.175.243.110#53
;; REFUSED unexpected RCODE resolving 'de/DS/IN': 193.175.243.110#53
Your authoritative server is (correctly) refusing to answer queries for domains it is not authoritative for, like ".de" and the root.
There are various online DNSSEC checkers. I checked a couple with uni-wh.de and they seem to think it's fine (and I can resolve it fine), so I don't think there's any problem.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20230818/e408a3d8/attachment.htm>
More information about the Pdns-users
mailing list