<span style=" font-size:10pt;font-family:sans-serif">Hi there!</span>
<br>
<br><span style=" font-size:10pt;font-family:sans-serif">We use PowerDNS
Recursor to intercept certain lookups and return values from a database
instead. Therefore we use the Luad scripting capability. Now we noticed
that requests with DNSSEC lose the set AD flag when a hook in the script
of the request is marked as "handled" (by returning "true").
I don't know if this by design (which I can imagine), or if we are missing
something.</span>
<br>
<br><span style=" font-size:10pt;font-family:sans-serif">Script to reproduce
(reduced to the minimum):</span>
<br>
<br><tt><span style=" font-size:10pt">function postresolve(dq)</span></tt>
<br><tt><span style=" font-size:10pt"> print("postresolve
called for ",dq.qname:toString())</span></tt>
<br><tt><span style=" font-size:10pt"> local
header = dq:getDH()</span></tt>
<br><tt><span style=" font-size:10pt"> print("DNSHeader:getAD():
"..(header:getAD() and "true" or "false"))</span></tt>
<br><tt><span style=" font-size:10pt"> print("Validation
state: "..dq.validationState)</span></tt>
<br><tt><span style=" font-size:10pt"> return
true</span></tt>
<br><tt><span style=" font-size:10pt">end</span></tt>
<br>
<br><span style=" font-size:10pt;font-family:sans-serif">Command to test
(with any DNSSEC-enabled domain):</span>
<br>
<br><tt><span style=" font-size:10pt">dig A </span></tt><a href=www.denic.de><tt><span style=" font-size:10pt">www.denic.de</span></tt></a>
<br>
<br>
<br><span style=" font-size:10pt;font-family:sans-serif">Dig result<b>
(AD flag is missing)</b>:</span>
<br>
<br><tt><span style=" font-size:10pt">; <<>> DiG 9.11.5-P4-5.1-Debian
<<>> A </span></tt><a href=www.denic.de><tt><span style=" font-size:10pt">www.denic.de</span></tt></a>
<br><tt><span style=" font-size:10pt">;; global options: +cmd</span></tt>
<br><tt><span style=" font-size:10pt">;; Got answer:</span></tt>
<br><tt><span style=" font-size:10pt">;; ->>HEADER<<- opcode:
QUERY, status: NOERROR, id: 32508</span></tt>
<br><tt><span style=" font-size:10pt">;; flags: qr rd ra; QUERY: 1, ANSWER:
1, AUTHORITY: 0, ADDITIONAL: 1</span></tt>
<br>
<br><tt><span style=" font-size:10pt">;; OPT PSEUDOSECTION:</span></tt>
<br><tt><span style=" font-size:10pt">; EDNS: version: 0, flags:; udp:
4096</span></tt>
<br><tt><span style=" font-size:10pt">;; QUESTION SECTION:</span></tt>
<br><tt><span style=" font-size:10pt">;</span></tt><a href=www.denic.de><tt><span style=" font-size:10pt">www.denic.de</span></tt></a><tt><span style=" font-size:10pt">.
IN
A</span></tt>
<br>
<br><tt><span style=" font-size:10pt">;; ANSWER SECTION:</span></tt>
<br><a href=www.denic.de><tt><span style=" font-size:10pt">www.denic.de</span></tt></a><tt><span style=" font-size:10pt">.
3598 IN A
81.91.170.12</span></tt>
<br>
<br><tt><span style=" font-size:10pt">;; Query time: 1 msec</span></tt>
<br><tt><span style=" font-size:10pt">;; SERVER: 127.0.0.1#53(127.0.0.1)</span></tt>
<br><tt><span style=" font-size:10pt">;; WHEN: Sat Mar 28 16:21:40 UTC
2020</span></tt>
<br><tt><span style=" font-size:10pt">;; MSG SIZE rcvd: 57</span></tt>
<br>
<br>
<br><span style=" font-size:10pt;font-family:sans-serif">Output in system
log:</span>
<br>
<br><tt><span style=" font-size:10pt">pdns_recursor[1221]: postresolve
called for </span></tt><a href=www.denic.de><tt><span style=" font-size:10pt">www.denic.de</span></tt></a><tt><span style=" font-size:10pt">.</span></tt>
<br><tt><span style=" font-size:10pt">pdns_recursor[1221]: DNSHeader:getAD():
true</span></tt>
<br><tt><span style=" font-size:10pt">pdns_recursor[1221]: Validation state:
3 (<-- Secure)</span></tt>
<br>
<br>
<br><span style=" font-size:10pt;font-family:sans-serif">resolv.conf:</span>
<br>
<br><tt><span style=" font-size:10pt">dnssec=process</span></tt>
<br><tt><span style=" font-size:10pt">lua-dns-script=/etc/powerdns/myscript.lua</span></tt>
<br>
<br>
<br><span style=" font-size:10pt;font-family:sans-serif">However, if we
disable the hook in the Lua script (rename method) or return false, we
get the AD flag correctly:</span>
<br>
<br><tt><span style=" font-size:10pt">dig A </span></tt><a href=www.denic.de><tt><span style=" font-size:10pt">www.denic.de</span></tt></a>
<br>
<br><tt><span style=" font-size:10pt">; <<>> DiG 9.11.5-P4-5.1-Debian
<<>> A </span></tt><a href=www.denic.de><tt><span style=" font-size:10pt">www.denic.de</span></tt></a>
<br><tt><span style=" font-size:10pt">;; global options: +cmd</span></tt>
<br><tt><span style=" font-size:10pt">;; Got answer:</span></tt>
<br><tt><span style=" font-size:10pt">;; ->>HEADER<<- opcode:
QUERY, status: NOERROR, id: 10268</span></tt>
<br><tt><span style=" font-size:10pt">;; flags: qr rd ra </span></tt><tt><span style=" font-size:10pt;color:red"><b>ad</b></span></tt><tt><span style=" font-size:10pt">;
QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1</span></tt>
<br>
<br><tt><span style=" font-size:10pt">;; OPT PSEUDOSECTION:</span></tt>
<br><tt><span style=" font-size:10pt">; EDNS: version: 0, flags:; udp:
4096</span></tt>
<br><tt><span style=" font-size:10pt">;; QUESTION SECTION:</span></tt>
<br><tt><span style=" font-size:10pt">;</span></tt><a href=www.denic.de><tt><span style=" font-size:10pt">www.denic.de</span></tt></a><tt><span style=" font-size:10pt">.
IN
A</span></tt>
<br>
<br><tt><span style=" font-size:10pt">;; ANSWER SECTION:</span></tt>
<br><a href=www.denic.de><tt><span style=" font-size:10pt">www.denic.de</span></tt></a><tt><span style=" font-size:10pt">.
3600 IN A
81.91.170.12</span></tt>
<br>
<br><tt><span style=" font-size:10pt">;; Query time: 41 msec</span></tt>
<br><tt><span style=" font-size:10pt">;; SERVER: 127.0.0.1#53(127.0.0.1)</span></tt>
<br><tt><span style=" font-size:10pt">;; WHEN: Sat Mar 28 16:22:04 UTC
2020</span></tt>
<br><tt><span style=" font-size:10pt">;; MSG SIZE rcvd: 57</span></tt>
<br>
<br>
<br><span style=" font-size:10pt;font-family:sans-serif">I would appreciate
any help.</span>
<br>
<br><span style=" font-size:10pt;font-family:sans-serif">Kind regards,</span>
<br><span style=" font-size:10pt;font-family:sans-serif">Simon</span>