Hi,
Thank you for your hints with DNSSEC. Truly it was caused by dnssec
validation. If I tried to turn off dnssec validation dns0 servers would
not respond to any of my requests. But I found that with option
"process-no-validate" and recurse true for zone '.' I finally setup and
tested exactly what I wanted to do. Created small allow list for domains
that are blocked by dns0 and rest of request are filtered by dns0.
Thank you very much for help.
With kind regards
*Jan Gardian*
On 4/30/24 10:19, Frank Louwers wrote:
Hi,
Or turn off DNSSEC processing completely. Or crank up logging to see if/why
DNSSEC validation is failing.
To add on what Brian said: if you're going to be use filtering capabilities,
it's best to turn DNSSEC validation completely off: a filtered domain might
have a valid DS. You're breaking the chain by returning a non-signed and forged
reply to your users, so validation has little use.
Frank
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
