[Pdns-users] DNSSEC Validations and max-cache-bogus-ttl
Jan-Piet Mens
list at mens.de
Wed Jun 11 14:21:07 UTC 2025
I think the safest in this situation would be to add a Negative Trust Anchor
(NTA) [1] in order to temporarily disable DNSSEC validation in your Recursor
for that particular authoritative zone. While the NTA [2] is active you could
try contacting the operator of the (obviously) broken authoritative server and
get them to fix the zone.
-JP
[1] https://doc.powerdns.com/recursor/lua-config/dnssec.html#addNTA
[2] https://doc.powerdns.com/recursor/dnssec.html#ntas
More information about the Pdns-users
mailing list