[Pdns-dev] feature request: first step for DNSSEC-support for PowerDNS recursor: DNSSEC without validation

bert hubert bert.hubert at netherlabs.nl
Mon Apr 18 11:41:50 CEST 2011 

Hi Leen,

What you describe is quite close to the plan we have already.

The idea is that the recursor only gathers everything you need to validate
an answer and that we provide answers that come with all 'proof' inside.

This is currently also being discussed on the DNSEXT mailing list.

It turns out that the actual validation is not that much work (we can do it
already even). But doing it wisely may be a job better left for a separate
daemon.

Interestingly enough, this daemon might well live on the client computer or
in the browser.

First we want to get Auth 3.0 out of the door, then Recursor 3.4 (which has
some important fixups) and then focus on DNSSEC in the Recursor.

	Bert

On Sat, Apr 16, 2011 at 03:31:55PM +0200, Leen Besselink wrote:
> Hi,
> 
> As the authoritive server has been getting a lot of DNSSEC attention and
> as I've deployed some smaller DNSSEC things in some networks I found I
> was missing a feature smaller feature in the PowerDNS-recursor.
> 
> I know PowerDNS recursor doesn't have any DNSSEC support yet and
> building a validator probably isn't such an easy task.
> 
> But I would like to suggest a first step: DNSSEC without doing validation.
> 
> What would this accomplish ? It would allow a library/program which does
> it own DNSSEC-validating to use the PowerDNS-recursor.
> 
> I think what is needed is to do that is this (I'm not a DNS nor DNSSEC
> expert):
> 
> - support sending EDNS0-option and D0-bit queries to authoritive servers
> 
> - add support for RRSIG to the cache, which keeps the RRSIG with the
> requested RR.
> 
> - have a flag if the request to the authoritive server had D0-bit set
> 
> - when a client requests DNSSEC (D0-bit set) send a request to the
> authotive server with D0-bit and EDNS0 set if it wasn't already cached,
> even if it was cached but without the DNSSEC-requested cache flag set.
> 
> - probably this should not be on by default because EDNS0 isn't used by
> PowerDNS recursor as well ? Because of crappy firewalls ? Or atleast
> have the option to turn off DNSSEC and/or EDNS0 support (obviously if
> EDNS0 is off, DNSSEC will be to).
> 
> - Other tricky things: the TTL of a RRSIG could mean the RR needs to be
> cached for a shorter time ? Not that it should happen, I think, but my
> guess is it something that needs to be checked.
> 
> - fallback to non-EDNS0-query if it wasn't already cached
> 
> - when there is no validating code in the PowerDNS-recursor it should
> obviously never set the AD-bit in a reply to the client.
> 
> Hope this is useful.
> 
> Have a nice day,
>     Leen.
> 
> _______________________________________________
> Pdns-dev mailing list
> Pdns-dev at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-dev
>

More information about the Pdns-dev mailing list