Hi Lar,s On 12/14/2017 01:49 PM, Lars Dunemark wrote: > The domain where we find the problem is ansible.skatteverket.se, that is > one of the MX for skatteverket.se. The other mx servers seems to > validate as secure. (telegraf.skatteverket.se, marathon.skatteverket.se) > > I have publish our trace on: https://pastebin.com/CDeTy6Mv
So I can't reproduce this issue here, but what we can see on this trace around line 1542 is that the recursor asks 130.242.124.20 for ansible.skatteverket.se|A, and a NoError answer comes in without any RRSIG. Such an answer in a Secure zone leads to a Bogus, because it's not signed. Now the question is why do we get this answer? Except from a bug in the authoritative server, which I don't see by interrogating it by hand, the only explanation would be that we didn't ask for DNSSEC records in our query, because we consider the server to send FORMERR/NOTIMP on EDNS queries. We don't log that (we should, I'll open a PR for that later), but if you can reproduce the issue you can get a dump of our EDNS status database using: rec_control dump-edns /tmp/EDNS.dump This will dump the EDNS state for all authoritative servers we have in memory into the specified file. Note that if you do use our systemd unit file, PrivateTmp is set to true so you should look for this file under /tmp/systemd-private-*-pdns-recursor.service-*/tmp I would be very nice if you could report back the content of this file, especially for the NS of this domain. My guess is that you should see a value of 3 for at least one of them. If that's the case, we will need to understand why we marked this server as not understanding EDNS. It might be a bug in the server, or in the recursor. Someone reported an issue that look a lot like yours a couple days ago, and I'll open a PR fixing that one today. I'm hoping it might fix yours too, but that's impossible to say for certain until I can reproduce it or at least get more information. Best regards, -- Remi Gacogne PowerDNS.COM BV - https://www.powerdns.com/
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
