[Pdns-users] Recursor 5.4.0: RPZ matches on '.' root query, breaks DNSSEC validation (Indeterminate instead of Bogus)
Chris Brough
hello at chrisbrough.uk
Tue Apr 21 11:58:18 UTC 2026
Hi there,
Thanks for the feedback, I've created myself a solution that works around this issue, thanks for the pointers around the RRtypes.
- Chris
> On 21/04/2026 12:42 BST Otto Moerbeek via Pdns-users <pdns-users at mailman.powerdns.com> wrote:
>
>
> On Mon, Apr 20, 2026 at 12:55:43PM +0200, Otto Moerbeek via Pdns-users wrote:
>
> > On Mon, Apr 20, 2026 at 11:51:50AM +0100, Brian Candler wrote:
> >
> > > On 20/04/2026 10:58, Otto Moerbeek via Pdns-users wrote:
> > > > which could lead to unexpected matches as well. I have to think if it
> > > > is possible to skip those as well, though this is dangerous territory,
> > > > as afaik we have no defined way to distinguish actual custom records
> > > > from these kind of "meta" records.
> > >
> > > An option to skip everything at the RPZ apex?
> > >
> >
> > The TXT records are not at the apex, but stil not intended to be party
> > of the RPZ policy. The RPZ "standard" does no have a provision for
> > these kind of records. Anything we invent is ad-hoc.
> >
> > -Otto
>
> FYI: PR https://github.com/PowerDNS/pdns/pull/17161 addresses the
> issue for ZONEMD records.
>
> -Otto
>
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
More information about the Pdns-users
mailing list