[Pdns-users] DNSSEC, pdns-recursor and libunbound
michael at stroeder.com
Sat Apr 25 12:46:44 UTC 2015
leen at consolejunkie.net wrote:
> On 2015-04-24 21:35, Michael Ströder wrote:
>> Michael Ströder wrote:
>>> We're currently testing DNSSEC validation with libunbound 1.5.3 with all
>>> the RRs
>>> retrieved through a pdns-recursor (also tested 3.7.2).
>>> It seems that
>>> 1. libunbound does not explicitly retrieve the RRSIG RRs and
>>> 2. pdns-recursor does not return them when not explicitly request (qtype ANY).
>>> (Explicitly requesting RRSIG works.)
>>> => validation in libunbound fails
>> Did further testing with python-unbound (thin wrapper module on top
>> of libunbound) with simple script almost equal to this:
>> Looking at PCAP dumps with Wireshark the requests sent by libunbound
>> contain the D0 bit:
>> 1... .... .... .... = DO bit: Accepts DNSSEC security RRs
>> It seems to me that unbound and Google's 22.214.171.124 therefore return
>> RRSIG RRs while pdns-recursor does not.
>> I have to admit that looking at  rather confuses me. ;-)
>> Sniffing the out-going requests sent by pdns-recursor the D0 bit is
>> missing. Obviously the DNS servers then do not respond with RRSIG RRs.
>> Ciao, Michael.
>>  http://tools.ietf.org/html/rfc4035#section-3.2.1
> It's to bad nobody replied to you yet.
Given my last posting was late in the evening your response is pretty quick. :-)
> Let me tell how it is:
> The DO-bit in the request to the recursor means: please include DNSSEC
> Then if the recursor you are requesting it from does validation and it fails
> it will return an error similar to domain not found.
Actually I'm using python-unbound (mainly libunbound) for the validation but
would like to use the existing pdns-recursor for simply retrieving the RRs.
But since the D0 bit is not forwarded it does not get the RRSIG RRs back and
returns the result with validation status "bogus".
> If I understand correctly the PowerDNS developers have put in some of the time
> to add DNSSEC to their recursor but it isn't done yet.
Already saw this blog article before. I'm looking forward to pdns-recursor 4.x
because I like its logging more than that of other recursors.
> In the past I've requested from the PowerDNS developers, would it be possible
> to at least include the DNSSEC-information so Unbound do the validation.
> I told them you can leave the validation out of PowerDNS-recursor, I care less
> about that.
> The answer I got was:
> The validation is in comparison the easy part, changing the recursor to return
> the DNSSEC-information is more work.
Hmm, but if explicitly requested in the query pdns-recursor does actually
retrieve the RRSIG RRs.
Wouldn't it be possible to also send the D0 bit in the out-going query if the
incoming query had it set?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4272 bytes
Desc: S/MIME Cryptographic Signature
More information about the Pdns-users