Hi Andrey, thank you for your report.
* Andrey A. Lyubimets <[email protected]> [191225 09:33]: > A record SERVFAIL only with 8.8.8.8 for my unsigned subdomains. > > We have unsigned zones example.org and subdomain.example.org. > ns1-3.example.com > (debian buster, powerdns in superslave mode) is domain servers for those > zones. > > $ host -t A rr.subdomain.example.org 8.8.8.8 > Using domain server: > Name: 8.8.8.8 > Address: 8.8.8.8#53 > Aliases: > > Host rr.subdomain.example.org not found: 2(SERVFAIL) [..] > The reason for this is that Google makes a DS request for the domain before > each request, but the powerdns in version 4.1 gives wrong answer for unsigned > domains. Indeed it does, however it does so only for DS. 8.8.8.8 is known to early-SERVFAIL the DS query in such a case; however it has not been observed to SERVFAIL for other queries for the same zone. > In the upstream, this is fixed for version 4.2 - > https://github.com/PowerDNS/pdns/pull/6923. After talking to upstream about this, it is more likely that your zone has other problems that make 8.8.8.8 SERVFAIL. Can you post a full reproduction scenario? Cheers, Chris
