[Pdns-users] DNSSEC, pdns-recursor and libunbound
Michael Ströder
michael at stroeder.com
Sat Apr 25 12:46:44 UTC 2015
leen at consolejunkie.net wrote:
> On 2015-04-24 21:35, Michael Ströder wrote:
>> Michael Ströder wrote:
>>> We're currently testing DNSSEC validation with libunbound 1.5.3 with all
>>> the RRs
>>> retrieved through a pdns-recursor (also tested 3.7.2).
>>>
>>> It seems that
>>>
>>> 1. libunbound does not explicitly retrieve the RRSIG RRs and
>>>
>>> 2. pdns-recursor does not return them when not explicitly request (qtype ANY).
>>> (Explicitly requesting RRSIG works.)
>>>
>>> => validation in libunbound fails
>>
>> Did further testing with python-unbound (thin wrapper module on top
>> of libunbound) with simple script almost equal to this:
>>
>> http://www.unbound.net/documentation/pyunbound/examples/example4.html
>>
>> Looking at PCAP dumps with Wireshark the requests sent by libunbound
>> contain the D0 bit:
>>
>> 1... .... .... .... = DO bit: Accepts DNSSEC security RRs
>>
>> It seems to me that unbound and Google's 8.8.8.8 therefore return
>> RRSIG RRs while pdns-recursor does not.
>>
>> I have to admit that looking at [1] rather confuses me. ;-)
>>
>> Sniffing the out-going requests sent by pdns-recursor the D0 bit is
>> missing. Obviously the DNS servers then do not respond with RRSIG RRs.
>>
>> Ciao, Michael.
>>
>> [1] http://tools.ietf.org/html/rfc4035#section-3.2.1
>
> It's to bad nobody replied to you yet.
Given my last posting was late in the evening your response is pretty quick. :-)
> Let me tell how it is:
>
> The DO-bit in the request to the recursor means: please include DNSSEC
> information.
Yes.
> Then if the recursor you are requesting it from does validation and it fails
> it will return an error similar to domain not found.
Actually I'm using python-unbound (mainly libunbound) for the validation but
would like to use the existing pdns-recursor for simply retrieving the RRs.
But since the D0 bit is not forwarded it does not get the RRSIG RRs back and
returns the result with validation status "bogus".
> http://blog.powerdns.com/2013/09/16/dnssec-validation-for-the-recursor/
>
> If I understand correctly the PowerDNS developers have put in some of the time
> to add DNSSEC to their recursor but it isn't done yet.
Already saw this blog article before. I'm looking forward to pdns-recursor 4.x
because I like its logging more than that of other recursors.
> In the past I've requested from the PowerDNS developers, would it be possible
> to at least include the DNSSEC-information so Unbound do the validation.
>
> I told them you can leave the validation out of PowerDNS-recursor, I care less
> about that.
>
> The answer I got was:
>
> The validation is in comparison the easy part, changing the recursor to return
> the DNSSEC-information is more work.
Hmm, but if explicitly requested in the query pdns-recursor does actually
retrieve the RRSIG RRs.
Wouldn't it be possible to also send the D0 bit in the out-going query if the
incoming query had it set?
Ciao, Michael.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4272 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20150425/80997b61/attachment-0001.bin>
More information about the Pdns-users
mailing list