Maintained by: NLnet Labs

[Unbound-users] DNSSEC validation by default?

James Raftery
Thu Aug 7 13:53:16 CEST 2008


Hi,

I'm evaluating replacing a BIND9 resolver with Unbound. The resolver under
consideration performs DNSSEC validation using a configured trust-anchor for
an internal-only signed zone which contains SSHFP records.

Both BIND9 (running on 127.0.0.1) and Unbound (on 127.0.0.2) are able to
validate successfully:


$ drill -D @127.0.0.1 login.kerna.ie. ns 
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 59631
;; flags: qr rd ra ad ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; login.kerna.ie.      IN      NS

;; ANSWER SECTION:
login.kerna.ie. 2210    IN      NS      apollo.kerna.ie.
login.kerna.ie. 2210    IN      RRSIG   NS 5 3 14400 20081012130506 20080714130506 37514 login.kerna.ie. V7vsIJSkOFhWlITuKpKZ1qWng6nQ9ufD0H7l0dod1c45RQHfdDbz49J5QZuhOjafwocIXPx6pxKdcIsuskac0AWR214X9x/51Blym/suC8kSpndgEIzstsf+ZoRFph6PWq7RuoBN7ANgKDrCnHlFmmIBuRmiJ7WodSTWZk/lPUs= ;{id = 37514}


$ drill -D @127.0.0.2 login.kerna.ie. ns
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 4326
;; flags: qr rd ra ad ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; login.kerna.ie.      IN      NS

;; ANSWER SECTION:
login.kerna.ie. 13792   IN      NS      apollo.kerna.ie.
login.kerna.ie. 13792   IN      RRSIG   NS 5 3 14400 20081012130506 20080714130506 37514 login.kerna.ie. V7vsIJSkOFhWlITuKpKZ1qWng6nQ9ufD0H7l0dod1c45RQHfdDbz49J5QZuhOjafwocIXPx6pxKdcIsuskac0AWR214X9x/51Blym/suC8kSpndgEIzstsf+ZoRFph6PWq7RuoBN7ANgKDrCnHlFmmIBuRmiJ7WodSTWZk/lPUs= ;{id = 37514}


A difference in behaviour occurs when I query without setting the DO bit. BIND
validates and sets AD but Unbound does not:


$ drill @127.0.0.1 login.kerna.ie. ns 
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 56073
;; flags: qr rd ra ad ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; login.kerna.ie.      IN      NS

;; ANSWER SECTION:
login.kerna.ie. 1943    IN      NS      apollo.kerna.ie.


$ drill @127.0.0.2 login.kerna.ie. ns 
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 44238
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; login.kerna.ie.      IN      NS

;; ANSWER SECTION:
login.kerna.ie. 14400   IN      NS      apollo.kerna.ie.


My stub resolver (FreeBSD 6.3) doesn't set DO so OpenSSH rejects the SSHFP
records it finds when using Unbound because they're not marked as secure. Is
it possible for Unbound to validate everything it can and set AD
accordingly? Or have I got the wrong end of the stick and it's actually
BIND that's misbehaving in some (admittedly convenient) way?

The behaviour is the same with Unbound 1.0.0 and 1.0.2 FWIW.


Many thanks,
james
-- 
Times flies like an arrow. Fruit flies like bananas.