[Pdns-users] DNSSEC Validations and max-cache-bogus-ttl

[rob777]

Hi

I had a case where a customer who is using my pdns recursor for external
domain resolution had an application error due to failed dnssec validation
for the external Domain which his application depends on. I have
dnssec=validate configured in pdns recursor

The external domain had 4 Auth. DNS Servers. One of those external
resolvers had a wrong date in their dnssec signature, the 3 other external
resolvers were ok. Due to this if my pdns recursor made the dnssec
validation and if it contacted one of the 3 external Resolvers which were
ok everything was ok. But if it occasionally asked the one external
resolver which was giving back the wrong date in their dnssec validation,
the failed validation answer was cached by my powerdns recursor for the
time of the TTL.

Even tough the problem was not on my side i've checked if i can optimize
something in my pdns recursor and i found max-cache-bogus-ttl

"Maximum number of seconds to cache an item in the DNS cache (negative or
positive) if its DNSSEC validation failed, no matter what the original TTL
specified, to reduce the impact of a broken domain."

If i would set this to "0" (default on 3600 seconds) i would have a more
direct response (instead of caching the failed dnssec validation for the
time of the ttl).

Do i have to be aware of some potential backlash if setting this to "0"
with regards to other aspects of dnssec validations or is this (in general)
unproblematic?


Regards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20250611/88a5c827/attachment.htm>