[Pdns-users] pdns-recursor zone-forward block and allow lists
Brian Candler
b.candler at pobox.com
Tue Apr 30 08:15:37 UTC 2024
On 30/04/2024 08:23, Jan Gardian via Pdns-users wrote:
> tcpdump:
> "
> 17:31:22.071802 IP 192.168.0.101.41941 > pdns-recursor.domain: 65094+
> [1au] A? liveaqest.live. (55)
> 17:31:22.072588 IP pdns-recursor.55092 > dns.google.domain: 5457+%
> [1au] A? liveaqest.live. (43)
> 17:31:22.090703 IP dns.google.domain > pdns-recursor.55092: 5457 2/0/1
> A 188.114.97.3, A 188.114.96.3 (75)
> 17:31:22.091020 IP pdns-recursor.52908 > dns0.eu.domain: 55841 [1au]
> DS? live. (33)
> 17:31:22.095823 IP dns0.eu.domain > pdns-recursor.52908: 55841$ 0/14/1
> (530)
> 17:31:22.096001 IP pdns-recursor.25826 > dns0.eu.domain: 28404 [1au]
> DS? live. (33)
> 17:31:22.099646 IP pdns-recursor.34244 > 10.35.21.1.domain: 26987+
> PTR? 101.0.164.192.in-addr.arpa. (42)
> 17:31:22.100761 IP dns0.eu.domain > pdns-recursor.25826: 28404$ 0/14/1
> (530)
> 17:31:22.101142 IP pdns-recursor.domain > 192.168.0.101.41941: 65094
> ServFail 0/0/1 (43)
> "
The fourth and fifth packets shows a query and response for a DS record,
i.e. it's trying to do DNSSEC validation, starting at "live." and
working downwards. I therefore suspect that's the problem.
I'm not sure *exactly* why DNSSEC is failing to verify though: it seems
"live" is signed but "liveaqest.live" is not, and that ought to be
fine. And I don't know why the 6th/8th packets are repeating the same
DS query.
As a quick workaround (or at least to prove whether this is the issue),
you could add a Negative Trust Anchor for liveaqest.live. See:
https://doc.powerdns.com/recursor/yamlsettings.html#recursor-forward-zones
https://doc.powerdns.com/recursor/dnssec.html#negative-trust-anchors
Or turn off DNSSEC processing completely. Or crank up logging to see
if/why DNSSEC validation is failing.
I guess when you're forwarding queries to an upstream recursive server,
it would be nice to have a way to say "trust the AD flag queries in
responses from that server, and skip local DNSSEC validation" - but I
don't see a way to configure that.
Regards,
Brian.
More information about the Pdns-users
mailing list