[Pdns-users] pdns-recursor zone-forward block and allow lists
Jan Gardian
jan.gardian at redamp.io
Thu May 2 13:13:32 UTC 2024
Hi,
Thank you for your hints with DNSSEC. Truly it was caused by dnssec
validation. If I tried to turn off dnssec validation dns0 servers would
not respond to any of my requests. But I found that with option
"process-no-validate" and recurse true for zone '.' I finally setup and
tested exactly what I wanted to do. Created small allow list for domains
that are blocked by dns0 and rest of request are filtered by dns0.
Thank you very much for help.
With kind regards
*Jan Gardian*
On 4/30/24 10:19, Frank Louwers wrote:
> Hi,
>> Or turn off DNSSEC processing completely. Or crank up logging to see if/why DNSSEC validation is failing.
>
> To add on what Brian said: if you're going to be use filtering capabilities, it's best to turn DNSSEC validation completely off: a filtered domain might have a valid DS. You're breaking the chain by returning a non-signed and forged reply to your users, so validation has little use.
>
> Frank
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20240502/b68f8301/attachment.htm>
More information about the Pdns-users
mailing list