Re: [Pdns-users] pdns-recursor zone-forward block and allow lists

Tue, 30 Apr 2024 01:16:01 -0700 

On 30/04/2024 08:23, Jan Gardian via Pdns-users wrote:

tcpdump:
"
17:31:22.071802 IP 192.168.0.101.41941 > pdns-recursor.domain: 65094+ [1au] A? liveaqest.live. (55) 17:31:22.072588 IP pdns-recursor.55092 > dns.google.domain: 5457+% [1au] A? liveaqest.live. (43) 17:31:22.090703 IP dns.google.domain > pdns-recursor.55092: 5457 2/0/1 A 188.114.97.3, A 188.114.96.3 (75) 17:31:22.091020 IP pdns-recursor.52908 > dns0.eu.domain: 55841 [1au] DS? live. (33) 17:31:22.095823 IP dns0.eu.domain > pdns-recursor.52908: 55841$ 0/14/1 (530) 17:31:22.096001 IP pdns-recursor.25826 > dns0.eu.domain: 28404 [1au] DS? live. (33) 17:31:22.099646 IP pdns-recursor.34244 > 10.35.21.1.domain: 26987+ PTR? 101.0.164.192.in-addr.arpa. (42) 17:31:22.100761 IP dns0.eu.domain > pdns-recursor.25826: 28404$ 0/14/1 (530) 17:31:22.101142 IP pdns-recursor.domain > 192.168.0.101.41941: 65094 ServFail 0/0/1 (43) 
"



The fourth and fifth packets shows a query and response for a DS record, 
i.e. it's trying to do DNSSEC validation, starting at "live." and 
working downwards. I therefore suspect that's the problem.



I'm not sure *exactly* why DNSSEC is failing to verify though: it seems 
"live" is signed but "liveaqest.live" is not, and that ought to be 
fine.  And I don't know why the 6th/8th packets are repeating the same 
DS query.



As a quick workaround (or at least to prove whether this is the issue), 
you could add a Negative Trust Anchor for liveaqest.live. See:


https://doc.powerdns.com/recursor/yamlsettings.html#recursor-forward-zones

https://doc.powerdns.com/recursor/dnssec.html#negative-trust-anchors


Or turn off DNSSEC processing completely. Or crank up logging to see 
if/why DNSSEC validation is failing.



I guess when you're forwarding queries to an upstream recursive server, 
it would be nice to have a way to say "trust the AD flag queries in 
responses from that server, and skip local DNSSEC validation" - but I 
don't see a way to configure that.


Regards,

Brian.

_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users






















					Reply via email to