[dnsdist] DNSSEC validation result

Remi Gacogne remi.gacogne at powerdns.com
Tue Mar 3 11:50:20 UTC 2020

Hi Stephane,

On 2/29/20 1:55 PM, Stephane Bortzmeyer via dnsdist wrote:
> I run a DoH and DoT resolver with dnsdist. The backend resolvers
> validate (I can test them with dig and see the AD bit.) But dnsdist
> returns the AD bit to the client only when the client uses the DO
> bit. (Unlike, for instance, Unbound, or Cloudflare's, which
> always return AD if the domain validates, regardless of DO.)
> Is it on purpose? I don't see why.
> RFC 6840 mentions this behavior only for the case when the *client*
> uses the AD bit.

How are you testing exactly? More importantly, do your DoH and DoT
queries have the AD or DO bits set? Be careful that recent versions of
dig are setting AD=1 by default but a lot of DoH and DoT clients aren't.

dnsdist itself doesn't set or unset the AD bit unless asked to do so, be
it on queries or responses. It does however add an EDNS OPT RR with DO=0
in some cases (EDNS Client Subnet was requested in the configuration or
via Lua/rules, for DoH queries in order to advertise support for large
answers to the backend) if there was none in the initial query.

Most of the resolvers I know of abide by the rules defined in section
5.8 of rfc6840[1]:

"In order to interoperate with legacy stub resolvers and middleboxes
that neither understand nor ignore the AD bit, validating resolvers
SHOULD only set the AD bit when a response both meets the conditions
listed in Section 3.2.3 of [RFC4035], and the request contained either a
set DO bit or a set AD bit."

Therefore they only return AD=1 on validated answers if the query had
either AD=1 or DO=1.

If I add the following line to doh-client.py[2], for example, I do get
an AD bit from dnsdist over DoH:

message.flags |= dns.flags.AD

It also works if I set want_dnssec=True on the call to
dns.message.make_query(), in order for the initial query to have the DO
bit set.

[1]: https://tools.ietf.org/html/rfc6840#section-5.8
[2]: https://www.bortzmeyer.org/files/doh-client.py

Best regards,
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20200303/1da6c6f3/attachment.sig>

More information about the dnsdist mailing list