On 12/02/2026 06:19, listy via Pdns-users wrote:
Seems that in my 'traditional' forward zones config file I was missing
the '+'
+forwarded.zone=9.9.9.9,8.8.4.4
then yes, public recursors work - otherwise NS for those domains are
needed (as a side-note to beginner like myself)
The issue is that you need to set the "Recursion Desired" (RD) bit on
requests which are going to recursive servers. It must not be set on
requests which are sent to authoritative servers.
It's not really a case of NS records being required. An authoritative
server will typically have NS records pointing at it (so that it can be
found), but it's not necessary to function. You could, for example, set
up a standalone authoritative server for a hidden zone, and forward
requests to it from the recursor.
If the zone above is DNSSEC signed, but the hidden zone is not, that's
when a Negative Trust Anchor (NTA)
<https://doc.powerdns.com/recursor/lua-config/dnssec.html> is also required.
_______________________________________________
Pdns-users mailing list
[email protected]
https://mailman.powerdns.com/mailman/listinfo/pdns-users
