[Pdns-users] pdns-recursor zone-forward block and allow lists

Brian Candler b.candler at pobox.com
Tue Apr 30 08:15:37 UTC 2024


On 30/04/2024 08:23, Jan Gardian via Pdns-users wrote:
> tcpdump:
> "
> 17:31:22.071802 IP 192.168.0.101.41941 > pdns-recursor.domain: 65094+ 
> [1au] A? liveaqest.live. (55)
> 17:31:22.072588 IP pdns-recursor.55092 > dns.google.domain: 5457+% 
> [1au] A? liveaqest.live. (43)
> 17:31:22.090703 IP dns.google.domain > pdns-recursor.55092: 5457 2/0/1 
> A 188.114.97.3, A 188.114.96.3 (75)
> 17:31:22.091020 IP pdns-recursor.52908 > dns0.eu.domain: 55841 [1au] 
> DS? live. (33)
> 17:31:22.095823 IP dns0.eu.domain > pdns-recursor.52908: 55841$ 0/14/1 
> (530)
> 17:31:22.096001 IP pdns-recursor.25826 > dns0.eu.domain: 28404 [1au] 
> DS? live. (33)
> 17:31:22.099646 IP pdns-recursor.34244 > 10.35.21.1.domain: 26987+ 
> PTR? 101.0.164.192.in-addr.arpa. (42)
> 17:31:22.100761 IP dns0.eu.domain > pdns-recursor.25826: 28404$ 0/14/1 
> (530)
> 17:31:22.101142 IP pdns-recursor.domain > 192.168.0.101.41941: 65094 
> ServFail 0/0/1 (43)
> "

The fourth and fifth packets shows a query and response for a DS record, 
i.e. it's trying to do DNSSEC validation, starting at "live." and 
working downwards. I therefore suspect that's the problem.

I'm not sure *exactly* why DNSSEC is failing to verify though: it seems 
"live" is signed but "liveaqest.live" is not, and that ought to be 
fine.  And I don't know why the 6th/8th packets are repeating the same 
DS query.

As a quick workaround (or at least to prove whether this is the issue), 
you could add a Negative Trust Anchor for liveaqest.live. See:

https://doc.powerdns.com/recursor/yamlsettings.html#recursor-forward-zones

https://doc.powerdns.com/recursor/dnssec.html#negative-trust-anchors

Or turn off DNSSEC processing completely. Or crank up logging to see 
if/why DNSSEC validation is failing.

I guess when you're forwarding queries to an upstream recursive server, 
it would be nice to have a way to say "trust the AD flag queries in 
responses from that server, and skip local DNSSEC validation" - but I 
don't see a way to configure that.

Regards,

Brian.



More information about the Pdns-users mailing list