[Pdns-users] PDNS recursor dnssec settings

[Michael Van Der Beek]

Forgot to mention I am running.

rpm -qa | grep pdns
pdns-4.0.6-1pdns.el7.x86_64
dnsdist-1.1.0-1pdns.el7.x86_64
pdns-recursor-4.0.9-1pdns.el7.x86_64
pdns-backend-mysql-4.0.6-1pdns.el7.x86_64

And
MariaDB-server-10.1.38-1.el7.centos.x86_64


Thanks

Regards,

Michael
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PDNS recursor dnssec settings

[Remi Gacogne]

Hi,

On 3/5/19 7:25 AM, 葉科貝 wrote:
> I'm testing new version pdns-recursor-4.2.0-0.alpha1.1 .
> 
> I set dnssec use mod process.
> 
> When I query a record without ad or do flag, I receive the message
> "Answer to host.com.tw|A for 210.59.165.80:59977 validates as Bogus" .
> 
> Under the mode process, isn't this verification done?
> 
> Is my understanding wrong?

dig does set the AD flag by default, which leads to unexpected results.
Would you mind trying with +noad, ie:

dig host.com.tw  @103.17.10.61 -p 5301 +noad

For more information please have a look at
https://doc.powerdns.com/recursor/dnssec.html#what-when if you haven't
done so already.

Best regards,
-- 
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/



signature.asc
Description: OpenPGP digital signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] PDNS recursor dnssec settings

[葉科貝]

Hi!
I'm testing new version pdns-recursor-4.2.0-0.alpha1.1 .
I set dnssec use mod process.
When I query a record without ad or do flag, I receive the message "Answer to 
host.com.tw|A for 210.59.165.80:59977 validates as Bogus" .
Under the mode process, isn't this verification done?
Is my understanding wrong?

I am looking forward to your reply.
Best regards
Beck Yeh

Here is my query and trace message
query:
root@PC-24:~# dig  host.com.tw  @103.17.10.61 -p 5301

; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> host.com.tw @103.17.10.61 -p 5301
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 53650
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;host.com.tw.   IN  A

;; Query time: 31 msec
;; SERVER: 103.17.10.61#5301(103.17.10.61)
;; WHEN: Fri Feb 22 15:02:06 DST 2019
;; MSG SIZE  rcvd: 40

trace:
Feb 22 15:02:06 pdns pdns_recursor: 1 [2/1] question for 'host.com.tw|A' from 
210.59.165.80:59977
Feb 22 15:02:06 pdns pdns_recursor: [2] host.com.tw: Wants DNSSEC processing, 
auth data in query for A
Feb 22 15:02:06 pdns pdns_recursor: [2] host.com.tw: Looking for CNAME cache 
hit of 'host.com.tw|CNAME'
Feb 22 15:02:06 pdns pdns_recursor: [2] host.com.tw: No CNAME cache hit of 
'host.com.tw|CNAME' found
Feb 22 15:02:06 pdns pdns_recursor: [2] host.com.tw: No cache hit for 
'host.com.tw|A', trying to find an appropriate NS record
Feb 22 15:02:06 pdns pdns_recursor: [2] : got TA for '.'
Feb 22 15:02:06 pdns pdns_recursor: [2] : setting cut state for . to Secure
Feb 22 15:02:06 pdns pdns_recursor: [2] : - Looking for a cut at tw
Feb 22 15:02:06 pdns pdns_recursor: [2] : no TA found for 'tw' among 1
Feb 22 15:02:06 pdns pdns_recursor: [2]   tw: Wants DNSSEC processing, auth 
data in query for DS
Feb 22 15:02:06 pdns pdns_recursor: [2]   tw: No cache hit for 'tw|DS', trying 
to find an appropriate NS record
Feb 22 15:02:06 pdns pdns_recursor: [2] : got status Secure for name tw (from .)
Feb 22 15:02:06 pdns pdns_recursor: [2]   tw: initial validation status for tw 
is Secure
Feb 22 15:02:06 pdns pdns_recursor: [2]   tw: Cache consultations done, have 1 
NS to contact
Feb 22 15:02:06 pdns pdns_recursor: [2]   tw: Domain has hardcoded nameservers
Feb 22 15:02:06 pdns pdns_recursor: [2]   tw.: Nameservers: 
+168.95.1.1:53(0.00ms), +8.8.8.8:53(1.93ms), +8.8.4.4:53(3.75ms)
Feb 22 15:02:06 pdns pdns_recursor: [2]   tw: Resolved '.' NS (empty) to: 
168.95.1.1, 8.8.8.8, 8.8.4.4
Feb 22 15:02:06 pdns pdns_recursor: [2]   tw: Trying IP 168.95.1.1:53, asking 
'tw|DS'
Feb 22 15:02:06 pdns pdns_recursor: [2]   tw: Got 3 answers from (empty) 
(168.95.1.1), rcode=0 (No Error), aa=0, in 1ms
Feb 22 15:02:06 pdns pdns_recursor: [2]   tw: accept answer 'tw|DS|40792 8 2 
a05db4b0deb971031361bb621e8bb1b8d7346665a3d1b06ec1431adb7d015ee9' from '.' 
nameservers? ttl=82724, place=1 YES! - This answer was received from a server 
we forward to.
Feb 22 15:02:06 pdns pdns_recursor: [2]   tw: accept answer 'tw|RRSIG|DS 8 1 
86400 2019030705 2019022204 16749 . 
lTD7WoWovROn6vPEUOhUxYKIoFYY3BXHiEzJbRU11ugFa8PbTpSaUK2S3/61NoJviDBjLgDtcFg6Isp/kcOv+BmjNgM2xLBCVwtwh8juWALyk6Bwt4eJ6GsMeLNfKzr2rtudkXqOu2HkuSGpxZAHvnbeKjBx7VdhmuJ6S60D6uPri8+NrHAUmiCWhLM++XFi9LyV7uAjttwiIhkGo0r1YaLDRoOoOq8Ilq0epp2Yh35NFi8Ns6/USjl3MuhnP7pdYKOkSMBgoVNkxINON2Zz6aE7lkECTOsewcx1anR939RdGLANGxbjZhu94Gq6l3xlYUVGjY2iwaBD3R28uyvqEQ=='
 from '.' nameservers? ttl=80065, place=1 RRSIG - separate
Feb 22 15:02:06 pdns pdns_recursor: [2]   tw: OPT answer '.' from '.' 
nameservers
Feb 22 15:02:06 pdns pdns_recursor: [2] : got status Secure for name tw (from .)
Feb 22 15:02:06 pdns pdns_recursor: [2] : got initial zone status Secure for 
record tw|DS
Feb 22 15:02:06 pdns pdns_recursor: [2] Validating non-additional record for tw
Feb 22 15:02:06 pdns pdns_recursor: [2] Retrieving DNSKeys for .
Feb 22 15:02:06 pdns pdns_recursor: [2]    .: Wants DNSSEC processing, auth 
data in query for DNSKEY
Feb 22 15:02:06 pdns pdns_recursor: [2]    .: Found cache hit for DNSKEY: 256 3 
8 
AwEAAcH+axCdUOsTc9o+jmyVq5rsGTh1EcatSumPqEfsPBT+whyj0/UhD7cWeixV9Wqzj/cnqs8iWELqhdzGX41ZtaNQUfWNfOriASnWmX2D9m/EunplHu8nMSlDnDcT7+llE9tjk5HI1Sr7d9N16ZTIrbVALf65VB2ABbBG39dyAb7tz21PICJbSp2cd77UF7NFqEVkqohl/LkDw+7Apalmp0qAQT1Mgwi2cVxZMKUiciA6EqS+KNajf0A6olO2oEhZnGGY6b1LTg34/YfHdiIIZQqAfqbieruCGHRiSscC2ZE7iNreL/76f4JyIEUNkt6bQA29JsegxorLzQkpF7NKqZc=[ttl=86392]
 257 3 8 
AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=[ttl=86392]
 385 3 8