[Pdns-users] Recursor 5.4.0: RPZ matches on '.' root query, breaks DNSSEC validation (Indeterminate instead of Bogus)
Otto Moerbeek
otto at drijf.net
Tue Apr 21 11:42:20 UTC 2026
On Mon, Apr 20, 2026 at 12:55:43PM +0200, Otto Moerbeek via Pdns-users wrote:
> On Mon, Apr 20, 2026 at 11:51:50AM +0100, Brian Candler wrote:
>
> > On 20/04/2026 10:58, Otto Moerbeek via Pdns-users wrote:
> > > which could lead to unexpected matches as well. I have to think if it
> > > is possible to skip those as well, though this is dangerous territory,
> > > as afaik we have no defined way to distinguish actual custom records
> > > from these kind of "meta" records.
> >
> > An option to skip everything at the RPZ apex?
> >
>
> The TXT records are not at the apex, but stil not intended to be party
> of the RPZ policy. The RPZ "standard" does no have a provision for
> these kind of records. Anything we invent is ad-hoc.
>
> -Otto
FYI: PR https://github.com/PowerDNS/pdns/pull/17161 addresses the
issue for ZONEMD records.
-Otto
More information about the Pdns-users
mailing list