Hi Greg, On Fri, 9 Mar 2018 14:44:31 +0000 Greg Antic <greg.an...@stc.za.com> wrote:
> We are running recursor 4.1.1. We are having a problem with a domain that is > signed with bogus dnssec records, the domain is cape-epic.com. We have tried > the different dnssec modes but only process-no-validate allows the domain to > be resolved. We tried adding an nta for the domain but the domain still would > not resolve. > > Does anyone have any suggestions how we can accommodate and still resolve > bogus domains but still offer dnssec validation? > > Answer to cape-epic.com|A for 41.77.x.y:36426 validates as Bogus * Can you tell us how you added the NTA? * Are you fronting the recursor with dnsdist? * The fact that it validates as Bogus does *not* mean that the client gets a SERVFAIL, this depends on the dnssec setting and the flags the client sends. (but with an NTA it should always be insecure, so please answer the first question). Best regards, Pieter -- Pieter Lexis PowerDNS.COM BV -- https://www.powerdns.com _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users