[Pdns-users] Unable to resolve domain when using DO and not AD

Thu Dec 13 08:28:56 UTC 2018

Dear Luca,

> On 12 Dec 2018, at 19:53, Luca Lesinigo <luca at lm-net.it <mailto:luca at lm-net.it>> wrote:
> 
> Il giorno 12 dic 2018, alle ore 18:45, bert hubert <bert.hubert at powerdns.com <mailto:bert.hubert at powerdns.com>> ha scritto:
>>> Right now I am refraining to disclose the domain because I don’t know if
>>> this behavior could disclose a software/version/configuration with some
>>> kind of known vulnerability.
>> Sadly, that is where we stop reading about your problem.
>> Please see https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/ <https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/>
> 

…

> I don’t know and don’t want to find out if there is any legal aspect about disclosing a potential vulnerability in someone else’s systems, especially since we are in the same country and the other party is a much bigger company than ours - they can keep being unresolvable by all powerdns (and possibly others) recursors in the world as far as I’m concerned. 

I completely understand your position, but your are doing the PowerDNS community a disservice.

To illustrate that, let me cut&paste from your previous email:

> The same domain results in "All Queries to dns1.domain.tld for domain.tld/A timed out or failed” when trying with Verisign Labs DNSSEC Analyzer ( https://dnssec-analyzer.verisignlabs.com/ <https://dnssec-analyzer.verisignlabs.com/> )
> Public dns services (I tried Cloudflare and Google) do resolve correctly that domain, my guess is that they are doing queries with different flags and/or that they have some kind of workaround for this specific defect.

So I see two things here:

1) As the VerisignLabs analyser complains about the domain, there is a misconfiguration with the domain name in question. It does not comply to all DNSSec standards, as interpreted by Verisign labs and (as your PowerDNS Recursor won’t resolve it), but PowerDNS’ interpretation. 

2) Yet some other resolvers (CF and Google to name a few) are capable to work around this issue.

So while it might be a misconfiguration or maybe a bug at the other end, it is important for the PowerDNS Community. If we could do two important things:

a) we could investigate, try a few things, find out why the domain is behaving that way and see if there is a way this could be dealt with. Maybe it is a misconfig/bug at the other end, maybe it’s just a different interpretation of some dnssec standard that’s not 100% completely well described in the RFCs. So if you tell us the domain name, we might be able to fix the bug, or work around the issue if needed. Result: You’ve made the PowerDNS Community happy and making PowerDNS better software than it already is!

b) DNS operators are friendly people most of the time. There are various ways to contact them. If one of your domain names would fail to be resolved by a rather large chunk of the Internet, wouldn’t you want to know?  Result: You’ve made the Internet a better place

As the domain name servers in question are “live” on the Internet, and there’s very little chance this will lead to something “the bad guys” are able to exploit, it’s a configuration issue more than it is a security issue. So please, consider telling us the domain name in question, as that’s the only way to make the internet a better place.

Regards,

Frank

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20181213/9d68a5b4/attachment-0001.html>