[Pdns-users] pdns_recursor suddenly decided ALL dnssec queries were bogus

Thu, 11 Oct 2018 19:21:09 -0700 

I’ve been running a pdns_recursor install for a little over 11 months now, and 
I had about 9 months’ uptime on the machine running it. Tonight, suddenly, 
without my making any changes, ALL DNS queries through the recursor started 
returning SERVFAIL. I spent the better part of an hour diagnosing it. Finally, 
on a hunch, I enabled 
"dnssec-log-bogus=yes," and voila. Every. Single. Request. Every domain. From 
Google to Facebook to Microsoft. EVERYTHING was “Bogus.” (Important reminder 
here: I didn’t make ANY changes.)

The only way I was able to get DNS working again was to change the dnssec 
setting to "dnssec=process-no-validate.” But I sure don’t feel really good 
about that.

Anyone have any clue what happened? Did the world break or something?

Nick

Here’s some diag info for whatever it’s worth:

Oct 11 21:19:51 PowerDNS Recursor 4.0.4 (C) 2001-2016 PowerDNS.COM BV
Oct 11 21:19:51 Using 32-bits mode. Built using gcc 4.9.2.
Oct 11 21:19:51 PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free 
software, and you are welcome to redistribute it according to the terms of the 
GPL version 2.
Oct 11 21:19:51 Features: openssl lua 
Oct 11 21:19:51 Configured with: " '--build=arm-linux-gnueabihf' 
'--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' 
'--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' 
'--disable-silent-rules' '--libdir=${prefix}/lib/arm-linux-gnueabihf' 
'--libexecdir=${prefix}/lib/arm-linux-gnueabihf' '--disable-maintainer-mode' 
'--disable-dependency-tracking' '--sysconfdir=/etc/powerdns' 
'--enable-reproducible' '--with-lua' '--with-protobuf=yes' '--enable-systemd' 
'--with-systemd=/lib/systemd/system' 'build_alias=arm-linux-gnueabihf' 
'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security' 
'LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now -latomic' 
'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector-strong 
-Wformat -Werror=format-security 
-DPACKAGEVERSION='\''"4.0.4-1~bpo8+1.Debian"'\'''"
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Reply via email to