Hi!
I'm testing new version pdns-recursor-4.2.0-0.alpha1.1 .
I set dnssec use mod process.
When I query a record without ad or do flag, I receive the message "Answer to
host.com.tw|A for 210.59.165.80:59977 validates as Bogus" .
Under the mode process, isn't this verification done?
Is my understanding wrong?
I am looking forward to your reply.
Best regards
Beck Yeh
Here is my query and trace message
query:
root@PC-24:~# dig host.com.tw @103.17.10.61 -p 5301
; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> host.com.tw @103.17.10.61 -p 5301
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 53650
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;host.com.tw. IN A
;; Query time: 31 msec
;; SERVER: 103.17.10.61#5301(103.17.10.61)
;; WHEN: Fri Feb 22 15:02:06 DST 2019
;; MSG SIZE rcvd: 40
trace:
Feb 22 15:02:06 pdns pdns_recursor: 1 [2/1] question for 'host.com.tw|A' from
210.59.165.80:59977
Feb 22 15:02:06 pdns pdns_recursor: [2] host.com.tw: Wants DNSSEC processing,
auth data in query for A
Feb 22 15:02:06 pdns pdns_recursor: [2] host.com.tw: Looking for CNAME cache
hit of 'host.com.tw|CNAME'
Feb 22 15:02:06 pdns pdns_recursor: [2] host.com.tw: No CNAME cache hit of
'host.com.tw|CNAME' found
Feb 22 15:02:06 pdns pdns_recursor: [2] host.com.tw: No cache hit for
'host.com.tw|A', trying to find an appropriate NS record
Feb 22 15:02:06 pdns pdns_recursor: [2] : got TA for '.'
Feb 22 15:02:06 pdns pdns_recursor: [2] : setting cut state for . to Secure
Feb 22 15:02:06 pdns pdns_recursor: [2] : - Looking for a cut at tw
Feb 22 15:02:06 pdns pdns_recursor: [2] : no TA found for 'tw' among 1
Feb 22 15:02:06 pdns pdns_recursor: [2] tw: Wants DNSSEC processing, auth
data in query for DS
Feb 22 15:02:06 pdns pdns_recursor: [2] tw: No cache hit for 'tw|DS', trying
to find an appropriate NS record
Feb 22 15:02:06 pdns pdns_recursor: [2] : got status Secure for name tw (from .)
Feb 22 15:02:06 pdns pdns_recursor: [2] tw: initial validation status for tw
is Secure
Feb 22 15:02:06 pdns pdns_recursor: [2] tw: Cache consultations done, have 1
NS to contact
Feb 22 15:02:06 pdns pdns_recursor: [2] tw: Domain has hardcoded nameservers
Feb 22 15:02:06 pdns pdns_recursor: [2] tw.: Nameservers:
+168.95.1.1:53(0.00ms), +8.8.8.8:53(1.93ms), +8.8.4.4:53(3.75ms)
Feb 22 15:02:06 pdns pdns_recursor: [2] tw: Resolved '.' NS (empty) to:
168.95.1.1, 8.8.8.8, 8.8.4.4
Feb 22 15:02:06 pdns pdns_recursor: [2] tw: Trying IP 168.95.1.1:53, asking
'tw|DS'
Feb 22 15:02:06 pdns pdns_recursor: [2] tw: Got 3 answers from (empty)
(168.95.1.1), rcode=0 (No Error), aa=0, in 1ms
Feb 22 15:02:06 pdns pdns_recursor: [2] tw: accept answer 'tw|DS|40792 8 2
a05db4b0deb971031361bb621e8bb1b8d7346665a3d1b06ec1431adb7d015ee9' from '.'
nameservers? ttl=82724, place=1 YES! - This answer was received from a server
we forward to.
Feb 22 15:02:06 pdns pdns_recursor: [2] tw: accept answer 'tw|RRSIG|DS 8 1
86400 2019030705 2019022204 16749 .
lTD7WoWovROn6vPEUOhUxYKIoFYY3BXHiEzJbRU11ugFa8PbTpSaUK2S3/61NoJviDBjLgDtcFg6Isp/kcOv+BmjNgM2xLBCVwtwh8juWALyk6Bwt4eJ6GsMeLNfKzr2rtudkXqOu2HkuSGpxZAHvnbeKjBx7VdhmuJ6S60D6uPri8+NrHAUmiCWhLM++XFi9LyV7uAjttwiIhkGo0r1YaLDRoOoOq8Ilq0epp2Yh35NFi8Ns6/USjl3MuhnP7pdYKOkSMBgoVNkxINON2Zz6aE7lkECTOsewcx1anR939RdGLANGxbjZhu94Gq6l3xlYUVGjY2iwaBD3R28uyvqEQ=='
from '.' nameservers? ttl=80065, place=1 RRSIG - separate
Feb 22 15:02:06 pdns pdns_recursor: [2] tw: OPT answer '.' from '.'
nameservers
Feb 22 15:02:06 pdns pdns_recursor: [2] : got status Secure for name tw (from .)
Feb 22 15:02:06 pdns pdns_recursor: [2] : got initial zone status Secure for
record tw|DS
Feb 22 15:02:06 pdns pdns_recursor: [2] Validating non-additional record for tw
Feb 22 15:02:06 pdns pdns_recursor: [2] Retrieving DNSKeys for .
Feb 22 15:02:06 pdns pdns_recursor: [2] .: Wants DNSSEC processing, auth
data in query for DNSKEY
Feb 22 15:02:06 pdns pdns_recursor: [2] .: Found cache hit for DNSKEY: 256 3
8
AwEAAcH+axCdUOsTc9o+jmyVq5rsGTh1EcatSumPqEfsPBT+whyj0/UhD7cWeixV9Wqzj/cnqs8iWELqhdzGX41ZtaNQUfWNfOriASnWmX2D9m/EunplHu8nMSlDnDcT7+llE9tjk5HI1Sr7d9N16ZTIrbVALf65VB2ABbBG39dyAb7tz21PICJbSp2cd77UF7NFqEVkqohl/LkDw+7Apalmp0qAQT1Mgwi2cVxZMKUiciA6EqS+KNajf0A6olO2oEhZnGGY6b1LTg34/YfHdiIIZQqAfqbieruCGHRiSscC2ZE7iNreL/76f4JyIEUNkt6bQA29JsegxorLzQkpF7NKqZc=[ttl=86392]
257 3 8
AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=[ttl=86392]
385 3 8