Maintained by: NLnet Labs

[Unbound-users] DNSSEC validation by default?

Wouter Wijngaards
Thu Aug 7 15:05:47 CEST 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi James,

You are using an older version of Bind9 I think; since this was
considered bad behaviour by Bind, and fixed in recent releases.
It was fixed because some legacy boxes (adsl I think) did not like
getting AD bits in their replies and crash or hang on it.

If you just want to get an AD bit in the reply if its secure, set the AD
bit in the query to signal that you are ready and able to receive the AD
bit in the reply.

That means getting your stub resolver to set 'AD' in queries.

This has just been documented in the lastest dnssec-bis-updates draft in
the IETF dnsext working group.

Sorry for the breakage,
~   Wouter

James Raftery wrote:
| Hi,
|
| I'm evaluating replacing a BIND9 resolver with Unbound. The resolver under
| consideration performs DNSSEC validation using a configured
trust-anchor for
| an internal-only signed zone which contains SSHFP records.
|
| Both BIND9 (running on 127.0.0.1) and Unbound (on 127.0.0.2) are able to
| validate successfully:
|
|
| $ drill -D @127.0.0.1 login.kerna.ie. ns
| ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 59631
| ;; flags: qr rd ra ad ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
| ;; QUESTION SECTION:
| ;; login.kerna.ie.      IN      NS
|
| ;; ANSWER SECTION:
| login.kerna.ie. 2210    IN      NS      apollo.kerna.ie.
| login.kerna.ie. 2210    IN      RRSIG   NS 5 3 14400 20081012130506
20080714130506 37514 login.kerna.ie.
V7vsIJSkOFhWlITuKpKZ1qWng6nQ9ufD0H7l0dod1c45RQHfdDbz49J5QZuhOjafwocIXPx6pxKdcIsuskac0AWR214X9x/51Blym/suC8kSpndgEIzstsf+ZoRFph6PWq7RuoBN7ANgKDrCnHlFmmIBuRmiJ7WodSTWZk/lPUs=
;{id = 37514}
|
|
| $ drill -D @127.0.0.2 login.kerna.ie. ns
| ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 4326
| ;; flags: qr rd ra ad ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
| ;; QUESTION SECTION:
| ;; login.kerna.ie.      IN      NS
|
| ;; ANSWER SECTION:
| login.kerna.ie. 13792   IN      NS      apollo.kerna.ie.
| login.kerna.ie. 13792   IN      RRSIG   NS 5 3 14400 20081012130506
20080714130506 37514 login.kerna.ie.
V7vsIJSkOFhWlITuKpKZ1qWng6nQ9ufD0H7l0dod1c45RQHfdDbz49J5QZuhOjafwocIXPx6pxKdcIsuskac0AWR214X9x/51Blym/suC8kSpndgEIzstsf+ZoRFph6PWq7RuoBN7ANgKDrCnHlFmmIBuRmiJ7WodSTWZk/lPUs=
;{id = 37514}
|
|
| A difference in behaviour occurs when I query without setting the DO
bit. BIND
| validates and sets AD but Unbound does not:
|
|
| $ drill @127.0.0.1 login.kerna.ie. ns
| ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 56073
| ;; flags: qr rd ra ad ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
| ;; QUESTION SECTION:
| ;; login.kerna.ie.      IN      NS
|
| ;; ANSWER SECTION:
| login.kerna.ie. 1943    IN      NS      apollo.kerna.ie.
|
|
| $ drill @127.0.0.2 login.kerna.ie. ns
| ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 44238
| ;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
| ;; QUESTION SECTION:
| ;; login.kerna.ie.      IN      NS
|
| ;; ANSWER SECTION:
| login.kerna.ie. 14400   IN      NS      apollo.kerna.ie.
|
|
| My stub resolver (FreeBSD 6.3) doesn't set DO so OpenSSH rejects the SSHFP
| records it finds when using Unbound because they're not marked as
secure. Is
| it possible for Unbound to validate everything it can and set AD
| accordingly? Or have I got the wrong end of the stick and it's actually
| BIND that's misbehaving in some (admittedly convenient) way?
|
| The behaviour is the same with Unbound 1.0.0 and 1.0.2 FWIW.
|
|
| Many thanks,
| james

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkia8ysACgkQkDLqNwOhpPjQ0wCgpRTW8V1hKq6V55LEX7Q3wYL0
Gh4AnRUBHei3kptF/lhTCPCMutpFYRA3
=RBOD
-----END PGP SIGNATURE-----