[Pdns-users] DNSSEC, pdns-recursor and libunbound
leen at consolejunkie.net
leen at consolejunkie.net
Fri Apr 24 21:07:46 UTC 2015
On 2015-04-24 21:35, Michael Ströder wrote:
> Michael Ströder wrote:
>> We're currently testing DNSSEC validation with libunbound 1.5.3 with
>> all the RRs
>> retrieved through a pdns-recursor (also tested 3.7.2).
>>
>> It seems that
>>
>> 1. libunbound does not explicitly retrieve the RRSIG RRs and
>>
>> 2. pdns-recursor does not return them when not explicitly request
>> (qtype ANY).
>> (Explicitly requesting RRSIG works.)
>>
>> => validation in libunbound fails
>
> Did further testing with python-unbound (thin wrapper module on top
> of libunbound) with simple script almost equal to this:
>
> http://www.unbound.net/documentation/pyunbound/examples/example4.html
>
> Looking at PCAP dumps with Wireshark the requests sent by libunbound
> contain the D0 bit:
>
> 1... .... .... .... = DO bit: Accepts DNSSEC security RRs
>
> It seems to me that unbound and Google's 8.8.8.8 therefore return
> RRSIG RRs while pdns-recursor does not.
>
> I have to admit that looking at [1] rather confuses me. ;-)
>
> Sniffing the out-going requests sent by pdns-recursor the D0 bit is
> missing. Obviously the DNS servers then do not respond with RRSIG
> RRs.
>
> Ciao, Michael.
>
> [1] http://tools.ietf.org/html/rfc4035#section-3.2.1
Hi Michael,
It's to bad nobody replied to you yet.
Let me tell how it is:
The DO-bit in the request to the recursor means: please include DNSSEC
information.
Then if the recursor you are requesting it from does validation and it
fails it will return an error similar to domain not found.
If it doesn't do any DNSSEC validation it will just return the reply it
got from an authoritative server.
If the domain has DNSSEC-information and the recursor does validation
and it was correct it will set the AD-bit in the response.
So a non-validating recursor will never set the AD-bit.
Now let's take your set up with Unbound-recursor forwarding to the
PDNS-recursor.
A recursor like Unbound when it does validation it needs the
DNSSEC-information, so it will request it from the PDNS-recursor it
forwards the requests to (D0-bit set).
PDNS-recursor doesn't yet support DNSSEC, so it will reply without
including any DNSSEC-information.
Thus Unbound can't do any validation and it will thus fail all
requests. Thus from Unbound you'll end up with answers: domain not
found.
The PowerDNS developers did want to put time in it, they've talked
about it a couple of times, for example this blog post:
http://blog.powerdns.com/2013/09/16/dnssec-validation-for-the-recursor/
If I understand correctly the PowerDNS developers have put in some of
the time to add DNSSEC to their recursor but it isn't done yet.
In the past I've requested from the PowerDNS developers, would it be
possible to at least include the DNSSEC-information so Unbound do the
validation.
I told them you can leave the validation out of PowerDNS-recursor, I
care less about that.
The answer I got was:
The validation is in comparison the easy part, changing the recursor to
return the DNSSEC-information is more work.
So now you know.
Have a good weekend,
Leen.
More information about the Pdns-users
mailing list