[Pdns-users] pdns-recursor zone-forward block and allow lists

Jan Gardian jan.gardian at redamp.io
Thu May 2 13:13:32 UTC 2024


Hi,

Thank you for your hints with DNSSEC. Truly it was caused by dnssec 
validation. If I tried to turn off dnssec validation dns0 servers would 
not respond to any of my requests. But I found that with option 
"process-no-validate" and recurse true for zone '.' I finally setup and 
tested exactly what I wanted to do. Created small allow list for domains 
that are blocked by dns0 and rest of request are filtered by dns0.

Thank you very much for help.

With kind regards

*Jan Gardian*

On 4/30/24 10:19, Frank Louwers wrote:
> Hi,
>> Or turn off DNSSEC processing completely. Or crank up logging to see if/why DNSSEC validation is failing.
>
> To add on what Brian said: if you're going to be use filtering capabilities, it's best to turn DNSSEC validation completely off: a filtered domain might have a valid DS. You're breaking the chain by returning a non-signed and forged reply to your users, so validation has little use.
>
> Frank
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20240502/b68f8301/attachment.htm>


More information about the Pdns-users mailing list