Re: [Pdns-users] DNSSEC error

Fri, 18 Aug 2023 02:12:52 -0700 

Thank you, I understand, that our server is not authoritative for .de. bur it 
seems our zone is no longer signed, but it was signed in the past. Do I have to 
resign uni-wh.de? How can this disappear?


dig @127.0.0.1 dmz6.uni-wh.de. rrsig

; <<>> DiG 9.18.12-0ubuntu0.22.04.2-Ubuntu <<>> @127.0.0.1 dmz6.uni-wh.de. rrsig
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 51126
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;dmz6.uni-wh.de.                        IN      RRSIG

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Fri Aug 18 11:07:37 CEST 2023
;; MSG SIZE  rcvd: 43



Von: Brian Candler <b.cand...@pobox.com>
Gesendet: Freitag, 18. August 2023 10:15
An: All about using and deploying powerdns <pdns-users@mailman.powerdns.com>
Cc: Huber, Peter <peter.hu...@uni-wh.de>
Betreff: Re: [Pdns-users] DNSSEC error

On 18/08/2023 08:53, Huber, Peter via Pdns-users wrote:
i have strange thing using the pdns resolver. My domain uni-wh.de was ok for a 
long time, now there seems to be a DNSSEC problem and I don’t know where this 
comes from, nor how to fix this.
What I am testing:

delv @193.175.243.110 uni-wh.de

You say the problem is with a "pdns resolver", but 193.175.243.110 is an 
authoritative server, not a recursor.
From the error output you gave, it looks like you're using a tool which wants 
to talk to a recursor:
;; chase DS servers resolving 'uni-wh.de/DS/IN': 193.175.243.110#53
;; REFUSED unexpected RCODE resolving 'de/NS/IN': 193.175.243.110#53
;; REFUSED unexpected RCODE resolving './NS/IN': 193.175.243.110#53
;; REFUSED unexpected RCODE resolving 'de/DS/IN': 193.175.243.110#53

Your authoritative server is (correctly) refusing to answer queries for domains 
it is not authoritative for, like ".de" and the root.

There are various online DNSSEC checkers. I checked a couple with uni-wh.de and 
they seem to think it's fine (and I can resolve it fine), so I don't think 
there's any problem.

_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Reply via email to