On Thu, Jan 26, 2023 at 05:37:12PM +0100, Arien Vijn via Pdns-users wrote: > Hi Peter, > > > On 26 Jan 2023, at 17:28, Peter van Dijk via Pdns-users > > <pdns-users@mailman.powerdns.com> wrote: > > [...] > > > After some brief investigation we somewhat suspect this is aggressive > > NSEC caching. Can you see if aggressive-nsec-cache-size=0 makes the > > problem go away? > > Thanks! I'll add this line to the configuration right away :) > > -- Ari??n >
I expect the aggressive cache workaround to function. What is happening is that a query of a non-existent type (e.g. AAAA) for xdsl-c-serviceweb.gslb.kpn.com $ dig @ns1gslb.kpn.com. xdsl-c-serviceweb.gslb.kpn.com aaaa +dnssec produces an NSEC3 record that denies all types except TXT and RRSIG: cq026lgcduus730qu6cbhtrt7qpr2jnu.gslb.kpn.com. 86400 IN NSEC3 1 0 1 19623DE58C1E7E40 CQ026LGCDUUS730QU6CBHTRT7QPR2JNV TXT RRSIG So when the A record expires and somebody has done an AAAA query in between, the aggressive cache concludes that the wanted A record does not exists and not even asks the auth for it. The after a cache wipe it works because when the (aggressive) cache is empty for that zone, there is also no NSEC3 record denying anything. So in the end this is a misconfigured domain. Completely disabling the aggressive cache is a bit of a big hammer, you can also add an NTA for the specific problem domain, something like: addNTA('gslb.kpn.com', 'Invalid NSEC3 record served for xdsl-c-serviceweb.gslb.kpn.com') in your Lua config file. This effectively does disable DNSSEC for the domain. And please also report this to KPN. -Otto _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users