14 Dub
2025
14 Dub
'25
21:05
On Mon, Apr 14, 2025 at 08:54:34PM +0200,
Stephane Bortzmeyer <stephane(a)bortzmeyer.org> wrote
a message of 19 lines which said:
If I configure with policy.add + policy.FORWARD, and
trust_anchors.add
for the key of the dummy TLD, it works for the TLD apex, for
subdomains of the TLD which are NOT signed but for signed subdomains
of the TLD, I get SERVFAIL + "EDE: 12 (NSEC Missing): (AHXI)".
Querying directly the authoritative name servers with the DO bit, I
get all the RRSIG and NSEC I need. But apparently, Knot cannot get them.
Observing the traffic with Wireshark, I suspect this is because the
authoritative name server returns DS, signature of DS, NS but of
course no signature of NS because it is not authoritative for it. And
Knot expects these signatures (which would be present if the server
were a resolver).
PS: I also wonder why policy.STUB, which would be a good fit, disables
DNSSEC :-(