[Pdns-users] DNSSEC error

Martin Kellermann kellermann at sk-datentechnik.com
Fri Aug 18 09:38:53 UTC 2023

DNSSEC seems to be fine:


Von: Pdns-users <pdns-users-bounces at mailman.powerdns.com> Im Auftrag von Huber, Peter via Pdns-users
Gesendet: Freitag, 18. August 2023 11:13
An: All about using and deploying powerdns <pdns-users at mailman.powerdns.com>
Cc: Huber, Peter <peter.huber at uni-wh.de>
Betreff: Re: [Pdns-users] DNSSEC error

Thank you, I understand, that our server is not authoritative for .de. bur it seems our zone is no longer signed, but it was signed in the past. Do I have to resign uni-wh.de? How can this disappear?

dig @ dmz6.uni-wh.de. rrsig

; <<>> DiG 9.18.12-0ubuntu0.22.04.2-Ubuntu <<>> @ dmz6.uni-wh.de. rrsig
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 51126
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

; EDNS: version: 0, flags:; udp: 1232
;dmz6.uni-wh.de.                        IN      RRSIG

;; Query time: 0 msec
;; WHEN: Fri Aug 18 11:07:37 CEST 2023
;; MSG SIZE  rcvd: 43

Von: Brian Candler <b.candler at pobox.com<mailto:b.candler at pobox.com>>
Gesendet: Freitag, 18. August 2023 10:15
An: All about using and deploying powerdns <pdns-users at mailman.powerdns.com<mailto:pdns-users at mailman.powerdns.com>>
Cc: Huber, Peter <peter.huber at uni-wh.de<mailto:peter.huber at uni-wh.de>>
Betreff: Re: [Pdns-users] DNSSEC error

On 18/08/2023 08:53, Huber, Peter via Pdns-users wrote:
i have strange thing using the pdns resolver. My domain uni-wh.de was ok for a long time, now there seems to be a DNSSEC problem and I don’t know where this comes from, nor how to fix this.
What I am testing:

delv @ uni-wh.de

You say the problem is with a "pdns resolver", but is an authoritative server, not a recursor.
From the error output you gave, it looks like you're using a tool which wants to talk to a recursor:
;; chase DS servers resolving 'uni-wh.de/DS/IN':
;; REFUSED unexpected RCODE resolving 'de/NS/IN':
;; REFUSED unexpected RCODE resolving './NS/IN':
;; REFUSED unexpected RCODE resolving 'de/DS/IN':

Your authoritative server is (correctly) refusing to answer queries for domains it is not authoritative for, like ".de" and the root.

There are various online DNSSEC checkers. I checked a couple with uni-wh.de and they seem to think it's fine (and I can resolve it fine), so I don't think there's any problem.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20230818/e408a3d8/attachment.htm>

More information about the Pdns-users mailing list