Hi Simon, On 3/28/20 5:34 PM, Simon Erhardt via Pdns-users wrote: > We use PowerDNS Recursor to intercept certain lookups and return values > from a database instead. Therefore we use the Luad scripting capability. > Now we noticed that requests with DNSSEC lose the set AD flag when a > hook in the script of the request is marked as "handled" (by returning > "true"). I don't know if this by design (which I can imagine), or if we > are missing something.
Once the post-resolve hook indicated it 'took' the query (by returning true), the recursor can not guarantee that the answer is unaltered or no records are inserted. This is why the recursor *always* clears the DNSSEC validation state when a `true` is returned. As `postresolve` is called *after* resolution and validation has already happened, PowerDNS won't revalidate. To ensure it does not lie to the clients, the AD bit is never set [1]. I hope this clears up the confusion. Best regards, Pieter 1 - https://github.com/PowerDNS/pdns/blob/dbcbb6820eab29a5da2ae51ae2321b8691fce938/pdns/pdns_recursor.cc#L1461-L1462 -- Pieter Lexis PowerDNS.COM BV -- https://www.powerdns.com _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
