[Pdns-users] Recursor: Response looses AD flag if Lua script hook returns true

Simon.Erhardt at cryptshare.com Simon.Erhardt at cryptshare.com
Sat Mar 28 16:34:06 UTC 2020 

Hi there!

We use PowerDNS Recursor to intercept certain lookups and return values 
from a database instead. Therefore we use the Luad scripting capability. 
Now we noticed that requests with DNSSEC lose the set AD flag when a hook 
in the script of the request is marked as "handled" (by returning "true"). 
I don't know if this by design (which I can imagine), or if we are missing 
something.

Script to reproduce (reduced to the minimum):

function postresolve(dq)
        print("postresolve called for ",dq.qname:toString())
        local header = dq:getDH()
        print("DNSHeader:getAD(): "..(header:getAD() and "true" or 
"false"))
        print("Validation state: "..dq.validationState)
        return true
end

Command to test (with any DNSSEC-enabled domain):

dig A www.denic.de


Dig result (AD flag is missing):

; <<>> DiG 9.11.5-P4-5.1-Debian <<>> A www.denic.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32508
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.denic.de.                  IN      A

;; ANSWER SECTION:
www.denic.de.           3598    IN      A       81.91.170.12

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Mar 28 16:21:40 UTC 2020
;; MSG SIZE  rcvd: 57


Output in system log:

pdns_recursor[1221]: postresolve called for         www.denic.de.
pdns_recursor[1221]: DNSHeader:getAD(): true
pdns_recursor[1221]: Validation state: 3   (<-- Secure)


resolv.conf:

dnssec=process
lua-dns-script=/etc/powerdns/myscript.lua


However, if we disable the hook in the Lua script (rename method) or 
return false, we get the AD flag correctly:

dig A www.denic.de

; <<>> DiG 9.11.5-P4-5.1-Debian <<>> A www.denic.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10268
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.denic.de.                  IN      A

;; ANSWER SECTION:
www.denic.de.           3600    IN      A       81.91.170.12

;; Query time: 41 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Mar 28 16:22:04 UTC 2020
;; MSG SIZE  rcvd: 57


I would appreciate any help.

Kind regards,
Simon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20200328/19075823/attachment.htm>

More information about the Pdns-users mailing list