[Pdns-dev] feature request: first step for DNSSEC-support for PowerDNS recursor: DNSSEC without validation
Leen Besselink
leen at consolejunkie.net
Sat Apr 16 15:31:55 CEST 2011
Hi,
As the authoritive server has been getting a lot of DNSSEC attention and
as I've deployed some smaller DNSSEC things in some networks I found I
was missing a feature smaller feature in the PowerDNS-recursor.
I know PowerDNS recursor doesn't have any DNSSEC support yet and
building a validator probably isn't such an easy task.
But I would like to suggest a first step: DNSSEC without doing validation.
What would this accomplish ? It would allow a library/program which does
it own DNSSEC-validating to use the PowerDNS-recursor.
I think what is needed is to do that is this (I'm not a DNS nor DNSSEC
expert):
- support sending EDNS0-option and D0-bit queries to authoritive servers
- add support for RRSIG to the cache, which keeps the RRSIG with the
requested RR.
- have a flag if the request to the authoritive server had D0-bit set
- when a client requests DNSSEC (D0-bit set) send a request to the
authotive server with D0-bit and EDNS0 set if it wasn't already cached,
even if it was cached but without the DNSSEC-requested cache flag set.
- probably this should not be on by default because EDNS0 isn't used by
PowerDNS recursor as well ? Because of crappy firewalls ? Or atleast
have the option to turn off DNSSEC and/or EDNS0 support (obviously if
EDNS0 is off, DNSSEC will be to).
- Other tricky things: the TTL of a RRSIG could mean the RR needs to be
cached for a shorter time ? Not that it should happen, I think, but my
guess is it something that needs to be checked.
- fallback to non-EDNS0-query if it wasn't already cached
- when there is no validating code in the PowerDNS-recursor it should
obviously never set the AD-bit in a reply to the client.
Hope this is useful.
Have a nice day,
Leen.
More information about the Pdns-dev
mailing list