[Pdns-users] DNSSEC, pdns-recursor and libunbound

Michael Ströder michael at stroeder.com
Sat Apr 25 12:46:44 UTC 2015

leen at consolejunkie.net wrote:
> On 2015-04-24 21:35, Michael Ströder wrote:
>> Michael Ströder wrote:
>>> We're currently testing DNSSEC validation with libunbound 1.5.3 with all
>>> the RRs
>>> retrieved through a pdns-recursor (also tested 3.7.2).
>>> It seems that
>>> 1. libunbound does not explicitly retrieve the RRSIG RRs and
>>> 2. pdns-recursor does not return them when not explicitly request (qtype ANY).
>>>     (Explicitly requesting RRSIG works.)
>>> => validation in libunbound fails
>> Did further testing with python-unbound (thin wrapper module on top
>> of libunbound) with simple script almost equal to this:
>> http://www.unbound.net/documentation/pyunbound/examples/example4.html
>> Looking at PCAP dumps with Wireshark the requests sent by libunbound
>> contain the D0 bit:
>> 1... .... .... .... = DO bit: Accepts DNSSEC security RRs
>> It seems to me that unbound and Google's therefore return
>> RRSIG RRs while pdns-recursor does not.
>> I have to admit that looking at [1] rather confuses me. ;-)
>> Sniffing the out-going requests sent by pdns-recursor the D0 bit is
>> missing. Obviously the DNS servers then do not respond with RRSIG RRs.
>> Ciao, Michael.
>> [1] http://tools.ietf.org/html/rfc4035#section-3.2.1
> It's to bad nobody replied to you yet.

Given my last posting was late in the evening your response is pretty quick. :-)

> Let me tell how it is:
> The DO-bit in the request to the recursor means: please include DNSSEC
> information.


> Then if the recursor you are requesting it from does validation and it fails
> it will return an error similar to domain not found.

Actually I'm using python-unbound (mainly libunbound) for the validation but 
would like to use the existing pdns-recursor for simply retrieving the RRs.

But since the D0 bit is not forwarded it does not get the RRSIG RRs back and 
returns the result with validation status "bogus".

> http://blog.powerdns.com/2013/09/16/dnssec-validation-for-the-recursor/
> If I understand correctly the PowerDNS developers have put in some of the time
> to add DNSSEC to their recursor but it isn't done yet.

Already saw this blog article before. I'm looking forward to pdns-recursor 4.x 
because I like its logging more than that of other recursors.

> In the past I've requested from the PowerDNS developers, would it be possible
> to at least include the DNSSEC-information so Unbound do the validation.
> I told them you can leave the validation out of PowerDNS-recursor, I care less
> about that.
> The answer I got was:
> The validation is in comparison the easy part, changing the recursor to return
> the DNSSEC-information is more work.

Hmm, but if explicitly requested in the query pdns-recursor does actually 
retrieve the RRSIG RRs.

Wouldn't it be possible to also send the D0 bit in the out-going query if the 
incoming query had it set?

Ciao, Michael.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4272 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20150425/80997b61/attachment-0001.bin>

More information about the Pdns-users mailing list