[Pdns-users] DNSSEC Validations and max-cache-bogus-ttl
rob777
rogbru at gmail.com
Wed Jun 11 14:37:53 UTC 2025
Thanks - i didnt know this parameter - so basically this...
rec_control add-nta domain.example botched keyroll
Added Negative Trust Anchor for domain.example. with reason 'botched keyroll'
....would set dnssec validations for domain.example. to "off"....?
Am Mi., 11. Juni 2025 um 16:21 Uhr schrieb Jan-Piet Mens via Pdns-users <
pdns-users at mailman.powerdns.com>:
> I think the safest in this situation would be to add a Negative Trust
> Anchor
> (NTA) [1] in order to temporarily disable DNSSEC validation in your
> Recursor
> for that particular authoritative zone. While the NTA [2] is active you
> could
> try contacting the operator of the (obviously) broken authoritative server
> and
> get them to fix the zone.
>
> -JP
>
> [1] https://doc.powerdns.com/recursor/lua-config/dnssec.html#addNTA
> [2] https://doc.powerdns.com/recursor/dnssec.html#ntas
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20250611/ec377823/attachment.htm>
More information about the Pdns-users
mailing list