Hi again, I have now updated to Pdns 4.1.4 and will test if the problem is still present.
In the meantime I read this doc: https://dnscurve.org/espionage2.html Now I am unsure if NSEC3 is the way to go. What's best practice? Kevin Am Mo., 29. Okt. 2018 um 13:14 Uhr schrieb Kevin Olbrich <k...@sv01.de>: > Hi! > > I read this doc: > https://doc.powerdns.com/authoritative/dnssec/modes-of-operation.html > > PowerDNS Authoritative Server 4.1.1 > > Currently all zones are DNSSEC signed with NSEC by default. > We noticed a problem with non-existent CAA records: The zone is native and > replicated via AXFR to an external service. > If I query the master, the result is "not found". If I query the external > server, it replies with SRVFAIL. > This changes as soon as I set a CAA, the lookup succeeds. > > I think I have narrowed it down to NSEC. As NSEC3 makes zone-walking more > difficult, I would like to switch. > I tried "pdnsutil set-nsec3 example.com" which set some default values > and changed zone from NSEC to NSEC3. > > Before I do this change with 600+ Zones, what is the best practice setting > for NSEC/NSEC3? > The docs state broad vs. inclusive vs. narrow but without any more > information. > > And finally: Would this solve the CAA with replication problem? > > Thank you very much. > > Kevin >
_______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users