Hi Greg, On 03/09/2018 03:44 PM, Greg Antic wrote: > We are running recursor 4.1.1. We are having a problem with a domain > that is signed with bogus dnssec records, the domain is cape-epic.com. > We have tried the different dnssec modes but only process-no-validate > allows the domain to be resolved. We tried adding an nta for the domain > but the domain still would not resolve. > > Does anyone have any suggestions how we can accommodate and still > resolve bogus domains but still offer dnssec validation?
Running with dnssec=process should only return a ServFail if the client actually asks for DNSSEC validation, as described in [1]. Adding a NTA should also work, would you mind sharing your configuration and a trace (running with --trace or enabling it for this single domain via rec_control trace-regex 'cape-epic.com')? [1]: https://doc.powerdns.com/recursor/dnssec.html#what-when Best regards, -- Remi Gacogne PowerDNS.COM BV - https://www.powerdns.com/
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Pdns-users mailing list [email protected] https://mailman.powerdns.com/mailman/listinfo/pdns-users
