[Pdns-dev] feature request: first step for DNSSEC-support for PowerDNS recursor: DNSSEC without validation

[Leen Besselink]

Hi,

As the authoritive server has been getting a lot of DNSSEC attention and
as I've deployed some smaller DNSSEC things in some networks I found I
was missing a feature smaller feature in the PowerDNS-recursor.

I know PowerDNS recursor doesn't have any DNSSEC support yet and
building a validator probably isn't such an easy task.

But I would like to suggest a first step: DNSSEC without doing validation.

What would this accomplish ? It would allow a library/program which does
it own DNSSEC-validating to use the PowerDNS-recursor.

I think what is needed is to do that is this (I'm not a DNS nor DNSSEC
expert):

- support sending EDNS0-option and D0-bit queries to authoritive servers

- add support for RRSIG to the cache, which keeps the RRSIG with the
requested RR.

- have a flag if the request to the authoritive server had D0-bit set

- when a client requests DNSSEC (D0-bit set) send a request to the
authotive server with D0-bit and EDNS0 set if it wasn't already cached,
even if it was cached but without the DNSSEC-requested cache flag set.

- probably this should not be on by default because EDNS0 isn't used by
PowerDNS recursor as well ? Because of crappy firewalls ? Or atleast
have the option to turn off DNSSEC and/or EDNS0 support (obviously if
EDNS0 is off, DNSSEC will be to).

- Other tricky things: the TTL of a RRSIG could mean the RR needs to be
cached for a shorter time ? Not that it should happen, I think, but my
guess is it something that needs to be checked.

- fallback to non-EDNS0-query if it wasn't already cached

- when there is no validating code in the PowerDNS-recursor it should
obviously never set the AD-bit in a reply to the client.

Hope this is useful.

Have a nice day,
    Leen.