[Pdns-users] PowerDNS Recursor Performance and Tuning

Otto Moerbeek otto at drijf.net
Fri Jan 21 13:14:39 UTC 2022


On Thu, Jan 20, 2022 at 07:41:42AM +0100, Otto Moerbeek wrote:

> On Thu, Jan 20, 2022 at 09:51:51AM +0330, Hamed Haghshenas via Pdns-users wrote:
> 
> > >> How can I secure my dns Recursor? I try read document about dnssec in
> > powerdns wiki but can't understand what should I do ?
> > 
> > >>  <https://doc.powerdns.com/recursor/dnssec.html>
> > https://doc.powerdns.com/recursor/dnssec.html
> > 
> > > In short:
> > 
> > > dnssec=validat
> > 
> >  
> > 
> > I set dnssec=validate, but one error exist  (Invalid signature: connected)
> > 
> >  
> > 
> > #################################
> > 
> > Your dns security:
> > 
> > DNSSEC (FAIL)
> > 
> > *	Valid signature: connected
> > *	Invalid signature: connected
> > *	Expired signature: not connected
> > *	Missing signature: not connected
> > 
> >  
> > 
> > Best Regards,
> 
> This is interesting. AFAKS, the query used for this test is
> 
> dig badsig.go.dnscheck.tools TXT
> 
> According to the website, it should not validate. I will investigate.
> 
> 	-Otto

The issue is that PowerDNS Recursor marks the result as Insecure (not
signed by DNSSEC). Other resolvers do mark it as Bogus (failing DNSSEC
validation). The test site expects the latter.

The rec beaviour is because the replies to determine the delegation
point (aka zone-cut) are inconsistent: specifically the NSEC reply is
inconsistent. At the moment we draw the conclusion: it is an Insecure
delegation. There is now a PR that changes this behavior (rejecting
the NSEC record).

See https://github.com/PowerDNS/pdns/pull/11225

We also reported the issue in (as it is mainly an issue that should be
fixed on the authoritative server side)

https://www.reddit.com/r/u_dnschecktool/comments/rpf6uh/dnschecktools_identify_your_dns_resolvers/htl14g4/

This is the only contact that dnsckec.tools lists.

Note: while this may look like a downgrade attack, it is not, as only
the owner of the domain can create the inconsistent *but signed* NSEC
records. So don't worry about the failing test result.

Regards, 

 -Otto


More information about the Pdns-users mailing list