Hi Greg,

On Fri, 9 Mar 2018 14:44:31 +0000
Greg Antic <greg.an...@stc.za.com> wrote:

> We are running recursor 4.1.1. We are having a problem with a domain that is 
> signed with bogus dnssec records, the domain is cape-epic.com. We have tried 
> the different dnssec modes but only process-no-validate allows the domain to 
> be resolved. We tried adding an nta for the domain but the domain still would 
> not resolve.
> 
> Does anyone have any suggestions how we can accommodate and still resolve 
> bogus domains but still offer dnssec validation?
> 
> Answer to cape-epic.com|A for 41.77.x.y:36426 validates as Bogus

* Can you tell us how you added the NTA?
* Are you fronting the recursor with dnsdist?
* The fact that it validates as Bogus does *not* mean that the client
  gets a SERVFAIL, this depends on the dnssec setting and the flags the
  client sends. (but with an NTA it should always be insecure, so please
  answer the first question).


Best regards,

Pieter

-- 
Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Reply via email to