pdnssec rectify-zone makes the problem go away, which fixes it for me. It feels like there's still an underlying bug somewhere in the dnssec sql or surrounding code, though.
Cheers, Steve > On Mar 24, 2016, at 7:54 PM, Steve Atkins <[email protected]> wrote: > > I'm using a postgresql backend, and I have several zones configured to use > dnssec. > > Queries for resource records that exist work perfectly. The verisign online > checker says my dnssec is good. > > If I query for a resource record that doesn't exist without using dnssec - > either one where there are no RRs with a matching name or one where there are > RRs with a matching name but none also have a matching type - I get the > expected NXDOMAIN or NOERROR result. > > If I run the same query with dnssec then I get a servfail. > > With log level 9, and log-dns-details and log-dns-queries on, I get this in > the log: > > Mar 24 19:35:49 ns pdns[30538]: Remote 184.105.179.144 wants > 'foo.blighty.com|A', do = 1, bufsize = 1680: packetcache MISS > Mar 24 19:35:49 ns pdns[30538]: Exception building answer packet (Unknown DNS > type '.blighty.com') sending out servfail > > I see this with version 3.4.6 and 3.4.8. It looks like someone else had a > similar issue here: > https://mailman.powerdns.com/pipermail/pdns-users/2015-October/011747.html > > It's a new installation, but the data has been around for a few years. There > are no custom SQL queries. > > There is no record in the database with type '.blighty.com' - all non-null > types are expected A, TXT, PTR, etc. There are some records where the type is > null, though. > > Clearly it's getting garbage from the database, but only when building a > dnssec response where there are no matching RRs. > > Before I set up a testbed server to work out what's going on, does any of > this ring any bells with anyone? > > Cheers, > Steve > > _______________________________________________ > Pdns-users mailing list > [email protected] > https://mailman.powerdns.com/mailman/listinfo/pdns-users _______________________________________________ Pdns-users mailing list [email protected] https://mailman.powerdns.com/mailman/listinfo/pdns-users
