Dňa 27. marca 2023 13:20:06 UTC používateľ Heiko Schlittermann via mailop <mailop@mailop.org> napísal:
>If the DNS name xxx._domainkey.example.com exists, then >_domainkey.example.com exists too. It doesn't have any data (no TXT, A, >AAA, … record). But asking for _domainkey.example.com must not return >NXDOMAIN then. I agree, by theory and by RFC, but despite that i meet that NXDOMAIN (even from payed service) in real word and it was main reason to change that DNS provider. Now it works as expected (and as you and RFC describes). If you want to reproduce that broken behaviour with PowerDNS you can (i dont use PowerDNS, thus only from my tests and from head -- can be incomplete): 1. create "some" zone with SQL backend (SQLite is enough) 2. setup DNSSEC with NSEC3 and sign it 3. point your DNS to it (i did it via Unbound, including DNSSEC related things) 4. verify that it works, including DNSSEC, eg. via dig 5. add records, including empty non-terminals (ENT), eg. these DKIM records, directly via SQL 6. try to fetch the new records and you will see NXDOMAIN for ENT One have to run "magic" PowerDNS's command to fix/regenerate things after direct SQL manipulation (which i don't remember too). If zone is backed in file, that is fixed automatically, but not with SQL (at least was not about 1,5 year ago, when i try it). BTW, that i was able to do only with help of people from #DNS IRC channel... Of course, make sure that you didn't disabled that "nothing below" (RFC 8020) in resolver, which is AFAIK enabled by default in Unbound (harden-below-nxdomain) and was enabled on some public DNSs resolvers too in that time (i used them to verify, that my resolver is not wrong in this). regards -- Slavko https://www.slavino.sk/ _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
