Hi Pieter, To add to the info submitted to Remi:
> Can you tell us how you added the NTA? rec_control add-nta cape-epic.com > Are you fronting the recursor with dnsdist? No -----Original Message----- From: Pdns-users [mailto:[email protected]] On Behalf Of Pieter Lexis Sent: Friday, 09 March 2018 5:22 PM To: [email protected] Subject: Re: [Pdns-users] dnssec domain validates as bogus Hi Greg, On Fri, 9 Mar 2018 14:44:31 +0000 Greg Antic <[email protected]> wrote: > We are running recursor 4.1.1. We are having a problem with a domain that is > signed with bogus dnssec records, the domain is cape-epic.com. We have tried > the different dnssec modes but only process-no-validate allows the domain to > be resolved. We tried adding an nta for the domain but the domain still would > not resolve. > > Does anyone have any suggestions how we can accommodate and still resolve > bogus domains but still offer dnssec validation? > > Answer to cape-epic.com|A for 41.77.x.y:36426 validates as Bogus * Can you tell us how you added the NTA? * Are you fronting the recursor with dnsdist? * The fact that it validates as Bogus does *not* mean that the client gets a SERVFAIL, this depends on the dnssec setting and the flags the client sends. (but with an NTA it should always be insecure, so please answer the first question). Best regards, Pieter -- Pieter Lexis PowerDNS.COM BV -- https://www.powerdns.com _______________________________________________ Pdns-users mailing list [email protected] https://mailman.powerdns.com/mailman/listinfo/pdns-users _______________________________________________ Pdns-users mailing list [email protected] https://mailman.powerdns.com/mailman/listinfo/pdns-users
