On Thu, Jan 27, 2022 at 12:47:57PM +0330, Hamed Haghshenas via Pdns-users wrote:
> Hello,
>
>
>
> I tried to use dnssec= validate the same as Google dns (8.8.8.8), but my DNS
> server for some sites like activity.basalam.com returned an error "Server
> failed "I used 8.8.8.8 and was successful.
>
>
>
> When using the default value "process" for dnssec the resolve will be
> successful.
>
> I would appreciate it if you could help me to fix this .
>
>
>
> Best Regards,
>
> Hamed Haghshenas
Hello,
this domain is broker in various ways (see below). I'm investigating if
this indeed *should* lead to failure to resolve. As a workaround, you
can add a negative trust anchor for basalam.com.: in your Lua config file,
add
addNTA("basalam.com.", "ignore broken dnssec records")
If you do not lhave a Lua config file create one with the oave line in
it and set
lua-config-file=<path of Lua config file>
in recursor.conf
As for the issues with the domain itself, the issue seems to come from
the fact that a DS query for activity.basalam.com is answered by a
CNAME record.
OTOH, the delegation from .com is Insecure, so I wonder why we are
trying to validate. As said, I'll investigate more.
https://dnsviz.net/d/activity.basalam.com/dnssec/
shows the issues wit the domain.
-Otto
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
