subject:"\[Pdns\-users\] pdns\-recursor 4.0.0\~alpha3\-1 \- no DNSSEC answer\?"

Re: [Pdns-users] pdns-recursor 4.0.0~alpha3-1 - no DNSSEC answer?

2016-05-20 Thread Pieter Lexis

Hi Leen,

On Fri, 20 May 2016 10:08:51 +0200
l...@consolejunkie.net wrote:

> I've been wondering about this, I haven't tried the new recursor yet. 
> So to make it more clear:
> If you enable DNSSEC-processing of the recursor and nothing is cached 
> and you request something without DO-bit set does it do 
> DNSSEC-processing or not ?

In process-mode, the recursor always sends out queries with the DO-bit set (so 
this data is in the cache) and strips DNSSEC records in the reply to the client 
when the client does not set the DO-bit.

And if the client does not set the AD-bit it will not validate, so it might 
return bogus data in process mode. In validation mode, it will return SERVFAIL 
for bogus data, even when the client does not ask for validation.

-- 
Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns-recursor 4.0.0~alpha3-1 - no DNSSEC answer?

2016-05-20 Thread Pieter Lexis

Hi Leen and Michael,

On Fri, 20 May 2016 09:31:31 +0200
Leen Besselink  wrote:
> I forgot to mention, when you query a recursor, the recursor can also 
> indicate that the response is DNSSEC-validated, you need to look at the 
> AD-bit.

For completeness, the recursor follows RFC 6840[1] §5.7 pretty strict (in a 
DNSSEC mode). This means that a +AD bit in the query will trigger validation in 
process mode. When the AD bit is not set in the query, the recursor will not 
answer with the AD bit set, even when the data is validated (in validation 
mode).

The DO bit in the query is interpreted as 'give me DNSSEC records', this means 
that the recursor will return NSEC(3) and RRSIG records in the response. But if 
there is no AD bit set, no validation will take place.

Best regards,

Pieter

1 - https://tools.ietf.org/html/rfc6840

-- 
Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns-recursor 4.0.0~alpha3-1 - no DNSSEC answer?

2016-05-20 Thread Leen Besselink

On Fri, May 20, 2016 at 08:10:23AM +0200, Bit World Computing - Michael Mertel 
wrote:
> Hi Leen,
> 
> thanks for clearing this up. My approach was a bit to naive but my recursor 
> is now returning whats expected.
> 
> The +dnssec Parameter is the essential trick, and depending on dnssec=off or 
> =process in my recursor.conf the recursor is returning the correct 
> information.
> 
> Thanks for your feedback.
> 

I forgot to mention, when you query a recursor, the recursor can also indicate 
that the response is DNSSEC-validated, you need to look at the AD-bit.

See the dig output here:

https://docs.menandmice.com/display/MM/How+to+test+DNSSEC+validation

You will need the ad-bit if you have an application which depends on that, but 
it can't really be trusted unless it's running on the same machine aka: 
localhost

But it is also an indicator from the recursor that it did the 
DNSSEC-validation, so it's useful if you want to know what the recursor is 
doing.

> —Michael
> 
> 
> > Am 19.05.2016 um 17:36 schrieb Leen Besselink :
> > 
> > On Thu, May 19, 2016 at 03:00:12PM +0200, Bit World Computing - Michael 
> > Mertel wrote:
> >> Hi,
> >> 
> > 
> > Hi,
> > 
> >> I’am currently trying to get a better unterstanding of DNSSEC. But even if 
> >> I enable dnssec=process in my recursor.conf, I cannot get any DNSSEC 
> >> related answer from it. What do I’am doing wrong here, I’am somewhat lost?
> >> 
> >> —
> >> --- direct query 
> >> dig @ns1.denic.de ANY www.denic.de
> >> ;; ANSWER SECTION:
> >> www.denic.de.  3600IN  A   81.91.170.12
> >> www.denic.de.  3600IN  RRSIG   A 8 3 3600 
> >> 2016060209 2016051909 26155 denic.de. 
> >> rPMh+rMzzR2S4ZfPNlRVhhMInQ2NRJnbrVdpcu1pSiao0sNQ0cT0VtbG 
> >> lt5inSNmhglwvHKVug4zMHlS+LOtXeRDikzZSvL9k3oam/livEQ4MaKO 
> >> ZOR9PkIC8bf0bUj1Asfn2ifE9t5GmMXq6mFbP5ey38Q8bQn+nSancGwG 
> >> AIvwtwE0rFUh5dH9o767dE3U+wl0Phx7QgzzT68gix9YosPmSFRJnZGp 
> >> ICqyiViPDzmiU1WUjmpe9Vx3xHEPVHuS
> >> 
> >> ;; AUTHORITY SECTION:
> >> denic.de.  3600IN  NS  ns2.denic.de.
> >> denic.de.  3600IN  NS  ns3.denic.de.
> >> denic.de.  3600IN  NS  ns1.denic.de.
> >> 
> >> ;; ADDITIONAL SECTION:
> >> ns1.denic.de.  3600IN  A   81.91.170.1
> >> ns1.denic.de.  3600IN  2a02:568:121:6:2::2
> >> ns2.denic.de.  3600IN  A   78.104.145.26
> >> ns3.denic.de.  3600IN  A   81.91.173.19
> > 
> > 
> > DENIC can return whatever they want with an ANY-query, but that doesn't 
> > mean it's DNSSEC.
> > 
> >> 
> >> —
> >> — query through dnsdist —
> >> dig @192.168.1.5 ANY www.denic.de
> >> 
> >> ;; ANSWER SECTION:
> >> www.denic.de.  2083IN  A   81.91.170.12
> >> www.denic.de.  2083IN  RRSIG   A 8 3 3600 
> >> 2016060109 2016051809 26155 denic.de. 
> >> CjMNUtYc5apXRuMLeqH+s8OoOrYyoV5r/CD0xmUNQIhT9DpS80QhB6b2 
> >> oMhjxPqAN4leJUbJvMv23mAOMmnqViITN5c6aLWywDBcaN4JKCwBQbD8 
> >> n8LxMSC2QxKM7Ypl8bQBBvPTrT9fHauXGlLcQNLWtYPQ8vD7+5XurFJm 
> >> YCe6ZV3KTwkzHjDJSv4tSPFLfCHuFJSMtXqLewqwNPstqzvu4DXznj6Z 
> >> RcYURFkGvSJsajzbVbVvDMrFO3tY6Faa
> >> 
> >> —
> >> — query through recursor (no forwarders, dnssec=process) —
> >> dig -p 5153 @192.168.1.5 ANY www.denic.de
> >> 
> >> ;; ANSWER SECTION:
> >> www.denic.de.  2724IN  A   81.91.170.12
> >> 
> >> —
> >> 
> >> Thanks in advance.
> >> 
> > 
> > This would be the usual way to check DNSSEC. Without:
> > 
> > $ dig @d.ns.nic.cz labs.nic.cz A
> > 
> > ; <<>> DiG 9.8.1-P1 <<>> @d.ns.nic.cz labs.nic.cz A
> > ; (2 servers found)
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60824
> > ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 6
> > ;; WARNING: recursion requested but not available
> > 
> > ;; QUESTION SECTION:
> > ;labs.nic.cz.   IN  A
> > 
> > ;; ANSWER SECTION:
> > labs.nic.cz.1800IN  A   217.31.205.52
> > 
> > ;; AUTHORITY SECTION:
> > nic.cz. 1800IN  NS  a.ns.nic.cz.
> > nic.cz. 1800IN  NS  b.ns.nic.cz.
> > nic.cz. 1800IN  NS  d.ns.nic.cz.
> > 
> > ;; ADDITIONAL SECTION:
> > a.ns.nic.cz.1800IN  A   194.0.12.1
> > a.ns.nic.cz.1800IN  2001:678:f::1
> > b.ns.nic.cz.1800IN  A   194.0.13.1
> > b.ns.nic.cz.1800IN  2001:678:10::1
> > d.ns.nic.cz.1800IN  A   193.29.206.1
> > d.ns.nic.cz.1800IN  2001:678:1::1
> > 
> > With DNSSEC:
> > 
> > $ dig +dnssec @d.ns.nic.cz labs.nic.cz A
>

Re: [Pdns-users] pdns-recursor 4.0.0~alpha3-1 - no DNSSEC answer?

2016-05-20 Thread Bit World Computing - Michael Mertel

Hi Leen,

thanks for clearing this up. My approach was a bit to naive but my recursor is 
now returning whats expected.

The +dnssec Parameter is the essential trick, and depending on dnssec=off or 
=process in my recursor.conf the recursor is returning the correct information.

Thanks for your feedback.

—Michael


> Am 19.05.2016 um 17:36 schrieb Leen Besselink :
> 
> On Thu, May 19, 2016 at 03:00:12PM +0200, Bit World Computing - Michael 
> Mertel wrote:
>> Hi,
>> 
> 
> Hi,
> 
>> I’am currently trying to get a better unterstanding of DNSSEC. But even if I 
>> enable dnssec=process in my recursor.conf, I cannot get any DNSSEC related 
>> answer from it. What do I’am doing wrong here, I’am somewhat lost?
>> 
>> —
>> --- direct query 
>> dig @ns1.denic.de ANY www.denic.de
>> ;; ANSWER SECTION:
>> www.denic.de.3600IN  A   81.91.170.12
>> www.denic.de.3600IN  RRSIG   A 8 3 3600 
>> 2016060209 2016051909 26155 denic.de. 
>> rPMh+rMzzR2S4ZfPNlRVhhMInQ2NRJnbrVdpcu1pSiao0sNQ0cT0VtbG 
>> lt5inSNmhglwvHKVug4zMHlS+LOtXeRDikzZSvL9k3oam/livEQ4MaKO 
>> ZOR9PkIC8bf0bUj1Asfn2ifE9t5GmMXq6mFbP5ey38Q8bQn+nSancGwG 
>> AIvwtwE0rFUh5dH9o767dE3U+wl0Phx7QgzzT68gix9YosPmSFRJnZGp 
>> ICqyiViPDzmiU1WUjmpe9Vx3xHEPVHuS
>> 
>> ;; AUTHORITY SECTION:
>> denic.de.3600IN  NS  ns2.denic.de.
>> denic.de.3600IN  NS  ns3.denic.de.
>> denic.de.3600IN  NS  ns1.denic.de.
>> 
>> ;; ADDITIONAL SECTION:
>> ns1.denic.de.3600IN  A   81.91.170.1
>> ns1.denic.de.3600IN  2a02:568:121:6:2::2
>> ns2.denic.de.3600IN  A   78.104.145.26
>> ns3.denic.de.3600IN  A   81.91.173.19
> 
> 
> DENIC can return whatever they want with an ANY-query, but that doesn't mean 
> it's DNSSEC.
> 
>> 
>> —
>> — query through dnsdist —
>> dig @192.168.1.5 ANY www.denic.de
>> 
>> ;; ANSWER SECTION:
>> www.denic.de.2083IN  A   81.91.170.12
>> www.denic.de.2083IN  RRSIG   A 8 3 3600 
>> 2016060109 2016051809 26155 denic.de. 
>> CjMNUtYc5apXRuMLeqH+s8OoOrYyoV5r/CD0xmUNQIhT9DpS80QhB6b2 
>> oMhjxPqAN4leJUbJvMv23mAOMmnqViITN5c6aLWywDBcaN4JKCwBQbD8 
>> n8LxMSC2QxKM7Ypl8bQBBvPTrT9fHauXGlLcQNLWtYPQ8vD7+5XurFJm 
>> YCe6ZV3KTwkzHjDJSv4tSPFLfCHuFJSMtXqLewqwNPstqzvu4DXznj6Z 
>> RcYURFkGvSJsajzbVbVvDMrFO3tY6Faa
>> 
>> —
>> — query through recursor (no forwarders, dnssec=process) —
>> dig -p 5153 @192.168.1.5 ANY www.denic.de
>> 
>> ;; ANSWER SECTION:
>> www.denic.de.2724IN  A   81.91.170.12
>> 
>> —
>> 
>> Thanks in advance.
>> 
> 
> This would be the usual way to check DNSSEC. Without:
> 
> $ dig @d.ns.nic.cz labs.nic.cz A
> 
> ; <<>> DiG 9.8.1-P1 <<>> @d.ns.nic.cz labs.nic.cz A
> ; (2 servers found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60824
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 6
> ;; WARNING: recursion requested but not available
> 
> ;; QUESTION SECTION:
> ;labs.nic.cz.   IN  A
> 
> ;; ANSWER SECTION:
> labs.nic.cz.1800IN  A   217.31.205.52
> 
> ;; AUTHORITY SECTION:
> nic.cz. 1800IN  NS  a.ns.nic.cz.
> nic.cz. 1800IN  NS  b.ns.nic.cz.
> nic.cz. 1800IN  NS  d.ns.nic.cz.
> 
> ;; ADDITIONAL SECTION:
> a.ns.nic.cz.1800IN  A   194.0.12.1
> a.ns.nic.cz.1800IN  2001:678:f::1
> b.ns.nic.cz.1800IN  A   194.0.13.1
> b.ns.nic.cz.1800IN  2001:678:10::1
> d.ns.nic.cz.1800IN  A   193.29.206.1
> d.ns.nic.cz.1800IN  2001:678:1::1
> 
> With DNSSEC:
> 
> $ dig +dnssec @d.ns.nic.cz labs.nic.cz A
> 
> ; <<>> DiG 9.8.1-P1 <<>> +dnssec @d.ns.nic.cz labs.nic.cz A
> ; (2 servers found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54051
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 10
> ;; WARNING: recursion requested but not available
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 1232
> ;; QUESTION SECTION:
> ;labs.nic.cz.   IN  A
> 
> ;; ANSWER SECTION:
> labs.nic.cz.1800IN  A   217.31.205.52
> labs.nic.cz.1800IN  RRSIG   A 5 3 1800 20160531125753 
> 20160518035002 37152 nic.cz. 
> 0xzEtxkFeiOrdU2dqdKWmltIQEHn28Rv3bZKepOFmr3EUDcQDiGtWoV4 
> CRUdrcKAoP9Gjq31qqHjYd7xvKJo54jb9IMI42X6PTHe+Mm/dgyYgoQw 
> wdMjd+i/oEGF9MH/6BYbviaStGK5ocAsbB49pbvJW1Fh+e8rcTiHt9tt wlU=
> 
> ;; AUTHORITY SECTION:

Re: [Pdns-users] pdns-recursor 4.0.0~alpha3-1 - no DNSSEC answer?

2016-05-19 Thread Leen Besselink

On Thu, May 19, 2016 at 03:00:12PM +0200, Bit World Computing - Michael Mertel 
wrote:
> Hi,
> 

Hi,

> I’am currently trying to get a better unterstanding of DNSSEC. But even if I 
> enable dnssec=process in my recursor.conf, I cannot get any DNSSEC related 
> answer from it. What do I’am doing wrong here, I’am somewhat lost?
> 
> —
> --- direct query 
> dig @ns1.denic.de ANY www.denic.de
> ;; ANSWER SECTION:
> www.denic.de. 3600IN  A   81.91.170.12
> www.denic.de. 3600IN  RRSIG   A 8 3 3600 2016060209 
> 2016051909 26155 denic.de. 
> rPMh+rMzzR2S4ZfPNlRVhhMInQ2NRJnbrVdpcu1pSiao0sNQ0cT0VtbG 
> lt5inSNmhglwvHKVug4zMHlS+LOtXeRDikzZSvL9k3oam/livEQ4MaKO 
> ZOR9PkIC8bf0bUj1Asfn2ifE9t5GmMXq6mFbP5ey38Q8bQn+nSancGwG 
> AIvwtwE0rFUh5dH9o767dE3U+wl0Phx7QgzzT68gix9YosPmSFRJnZGp 
> ICqyiViPDzmiU1WUjmpe9Vx3xHEPVHuS
> 
> ;; AUTHORITY SECTION:
> denic.de. 3600IN  NS  ns2.denic.de.
> denic.de. 3600IN  NS  ns3.denic.de.
> denic.de. 3600IN  NS  ns1.denic.de.
> 
> ;; ADDITIONAL SECTION:
> ns1.denic.de. 3600IN  A   81.91.170.1
> ns1.denic.de. 3600IN  2a02:568:121:6:2::2
> ns2.denic.de. 3600IN  A   78.104.145.26
> ns3.denic.de. 3600IN  A   81.91.173.19


DENIC can return whatever they want with an ANY-query, but that doesn't mean 
it's DNSSEC.

> 
> —
> — query through dnsdist —
> dig @192.168.1.5 ANY www.denic.de
> 
> ;; ANSWER SECTION:
> www.denic.de. 2083IN  A   81.91.170.12
> www.denic.de. 2083IN  RRSIG   A 8 3 3600 2016060109 
> 2016051809 26155 denic.de. 
> CjMNUtYc5apXRuMLeqH+s8OoOrYyoV5r/CD0xmUNQIhT9DpS80QhB6b2 
> oMhjxPqAN4leJUbJvMv23mAOMmnqViITN5c6aLWywDBcaN4JKCwBQbD8 
> n8LxMSC2QxKM7Ypl8bQBBvPTrT9fHauXGlLcQNLWtYPQ8vD7+5XurFJm 
> YCe6ZV3KTwkzHjDJSv4tSPFLfCHuFJSMtXqLewqwNPstqzvu4DXznj6Z 
> RcYURFkGvSJsajzbVbVvDMrFO3tY6Faa
> 
> —
> — query through recursor (no forwarders, dnssec=process) —
> dig -p 5153 @192.168.1.5 ANY www.denic.de
> 
> ;; ANSWER SECTION:
> www.denic.de. 2724IN  A   81.91.170.12
> 
> —
> 
> Thanks in advance.
> 

This would be the usual way to check DNSSEC. Without:

$ dig @d.ns.nic.cz labs.nic.cz A

; <<>> DiG 9.8.1-P1 <<>> @d.ns.nic.cz labs.nic.cz A
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60824
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 6
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;labs.nic.cz.   IN  A

;; ANSWER SECTION:
labs.nic.cz.1800IN  A   217.31.205.52

;; AUTHORITY SECTION:
nic.cz. 1800IN  NS  a.ns.nic.cz.
nic.cz. 1800IN  NS  b.ns.nic.cz.
nic.cz. 1800IN  NS  d.ns.nic.cz.

;; ADDITIONAL SECTION:
a.ns.nic.cz.1800IN  A   194.0.12.1
a.ns.nic.cz.1800IN  2001:678:f::1
b.ns.nic.cz.1800IN  A   194.0.13.1
b.ns.nic.cz.1800IN  2001:678:10::1
d.ns.nic.cz.1800IN  A   193.29.206.1
d.ns.nic.cz.1800IN  2001:678:1::1

With DNSSEC:

$ dig +dnssec @d.ns.nic.cz labs.nic.cz A

; <<>> DiG 9.8.1-P1 <<>> +dnssec @d.ns.nic.cz labs.nic.cz A
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54051
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 10
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;labs.nic.cz.   IN  A

;; ANSWER SECTION:
labs.nic.cz.1800IN  A   217.31.205.52
labs.nic.cz.1800IN  RRSIG   A 5 3 1800 20160531125753 
20160518035002 37152 nic.cz. 
0xzEtxkFeiOrdU2dqdKWmltIQEHn28Rv3bZKepOFmr3EUDcQDiGtWoV4 
CRUdrcKAoP9Gjq31qqHjYd7xvKJo54jb9IMI42X6PTHe+Mm/dgyYgoQw 
wdMjd+i/oEGF9MH/6BYbviaStGK5ocAsbB49pbvJW1Fh+e8rcTiHt9tt wlU=

;; AUTHORITY SECTION:
nic.cz. 1800IN  NS  a.ns.nic.cz.
nic.cz. 1800IN  NS  b.ns.nic.cz.
nic.cz. 1800IN  NS  d.ns.nic.cz.
nic.cz. 1800IN  RRSIG   NS 5 2 1800 20160531192914 
20160518035002 37152 nic.cz. 
eddprYYJBlc+xmv1WAuOLJ8zek0G4dtXlOSx3cNp4KFwscwsKBKD07k7 
jScwCdvHZsnD2tOjDtJ0cPyMl/JffL9s4lXp5nqh7rtrTPPHMzqER3Zy 
MsY+/Nl0MJV3Z15wRzgSvnG/EjXxHLJ+vRIShWceXXhdFCt+5vR2wwng evk=

;; ADDITIONAL SECTION:
a.ns.nic.cz.1800IN  A   194.0.12.1
a.ns.nic.cz.1800IN  2001:678:f::1
b.ns.nic.cz.1800

[Pdns-users] pdns-recursor 4.0.0~alpha3-1 - no DNSSEC answer?

2016-05-19 Thread Bit World Computing - Michael Mertel

Hi,

I’am currently trying to get a better unterstanding of DNSSEC. But even if I 
enable dnssec=process in my recursor.conf, I cannot get any DNSSEC related 
answer from it. What do I’am doing wrong here, I’am somewhat lost?

—
--- direct query 
dig @ns1.denic.de ANY www.denic.de
;; ANSWER SECTION:
www.denic.de.   3600IN  A   81.91.170.12
www.denic.de.   3600IN  RRSIG   A 8 3 3600 2016060209 
2016051909 26155 denic.de. 
rPMh+rMzzR2S4ZfPNlRVhhMInQ2NRJnbrVdpcu1pSiao0sNQ0cT0VtbG 
lt5inSNmhglwvHKVug4zMHlS+LOtXeRDikzZSvL9k3oam/livEQ4MaKO 
ZOR9PkIC8bf0bUj1Asfn2ifE9t5GmMXq6mFbP5ey38Q8bQn+nSancGwG 
AIvwtwE0rFUh5dH9o767dE3U+wl0Phx7QgzzT68gix9YosPmSFRJnZGp 
ICqyiViPDzmiU1WUjmpe9Vx3xHEPVHuS

;; AUTHORITY SECTION:
denic.de.   3600IN  NS  ns2.denic.de.
denic.de.   3600IN  NS  ns3.denic.de.
denic.de.   3600IN  NS  ns1.denic.de.

;; ADDITIONAL SECTION:
ns1.denic.de.   3600IN  A   81.91.170.1
ns1.denic.de.   3600IN  2a02:568:121:6:2::2
ns2.denic.de.   3600IN  A   78.104.145.26
ns3.denic.de.   3600IN  A   81.91.173.19

—
— query through dnsdist —
dig @192.168.1.5 ANY www.denic.de

;; ANSWER SECTION:
www.denic.de.   2083IN  A   81.91.170.12
www.denic.de.   2083IN  RRSIG   A 8 3 3600 2016060109 
2016051809 26155 denic.de. 
CjMNUtYc5apXRuMLeqH+s8OoOrYyoV5r/CD0xmUNQIhT9DpS80QhB6b2 
oMhjxPqAN4leJUbJvMv23mAOMmnqViITN5c6aLWywDBcaN4JKCwBQbD8 
n8LxMSC2QxKM7Ypl8bQBBvPTrT9fHauXGlLcQNLWtYPQ8vD7+5XurFJm 
YCe6ZV3KTwkzHjDJSv4tSPFLfCHuFJSMtXqLewqwNPstqzvu4DXznj6Z 
RcYURFkGvSJsajzbVbVvDMrFO3tY6Faa

—
— query through recursor (no forwarders, dnssec=process) —
dig -p 5153 @192.168.1.5 ANY www.denic.de

;; ANSWER SECTION:
www.denic.de.   2724IN  A   81.91.170.12

—

Thanks in advance.

—Michael
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns-recursor 4.0.0~alpha3-1 - no DNSSEC answer?

Re: [Pdns-users] pdns-recursor 4.0.0~alpha3-1 - no DNSSEC answer?

Re: [Pdns-users] pdns-recursor 4.0.0~alpha3-1 - no DNSSEC answer?

Re: [Pdns-users] pdns-recursor 4.0.0~alpha3-1 - no DNSSEC answer?

Re: [Pdns-users] pdns-recursor 4.0.0~alpha3-1 - no DNSSEC answer?

[Pdns-users] pdns-recursor 4.0.0~alpha3-1 - no DNSSEC answer?

6 matches

Site Navigation

Mail list logo

Footer information