[Pdns-users] Recursor: Response looses AD flag if Lua script hook returns true
Pieter Lexis
pieter.lexis at powerdns.com
Mon Mar 30 09:05:33 UTC 2020
Hi Simon,
On 3/28/20 5:34 PM, Simon Erhardt via Pdns-users wrote:
> We use PowerDNS Recursor to intercept certain lookups and return values
> from a database instead. Therefore we use the Luad scripting capability.
> Now we noticed that requests with DNSSEC lose the set AD flag when a
> hook in the script of the request is marked as "handled" (by returning
> "true"). I don't know if this by design (which I can imagine), or if we
> are missing something.
Once the post-resolve hook indicated it 'took' the query (by returning
true), the recursor can not guarantee that the answer is unaltered or no
records are inserted. This is why the recursor *always* clears the
DNSSEC validation state when a `true` is returned.
As `postresolve` is called *after* resolution and validation has already
happened, PowerDNS won't revalidate. To ensure it does not lie to the
clients, the AD bit is never set [1].
I hope this clears up the confusion.
Best regards,
Pieter
1 -
https://github.com/PowerDNS/pdns/blob/dbcbb6820eab29a5da2ae51ae2321b8691fce938/pdns/pdns_recursor.cc#L1461-L1462
--
Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com
More information about the Pdns-users
mailing list