Maintained by: NLnet Labs

[Unbound-users] Forwarding failing when DNSSec is enabled

W.C.A. Wijngaards
Thu Jul 2 16:36:43 CEST 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Leen,

On 07/02/2009 10:35 AM, Leen Besselink wrote:
> Hi Wouter,
> 
> Usually I just lurk on this mailinglist, but this time I have a question about DNSSEC.
> 
> I'm not familair with all details of DNSSEC, but I thought it doesn't really matter all that much where
> you get the DNSSEC information from, as long as you have a copy of the public root key or maybe
> something from a DLV-system. You would be able to verify it all the way from the top down to the record
> that you want to verify.

Yes, but you have to get the data from the server.
DNSSEC does not conjure information out of thin air.

> A forwarded would then just be a cache, you could ask that forwarded to retrieve the right RR and you'd
> be able to verify it.

Yes, if that forwarder gives along the signature with the data.
If the forwarder takes away all the signatures, then with
DNSSEC you detect that and the response is a security failure.

> This is what I always assumed, let's say the root is signed ( I assume with DLV it's kind of similair ):
> 
> 1. you know the root is signed, you have the public key (or whatever key material you need), you get
> the right records and you verify these records. They can't be changed, otherwise the signatures wouldn't
> match.

Yes.  And there is an expiration to tell you this was not
a delayed repeat of old information.

> 2. It has a record that says .org is signed and it has to match with this key.

Yes

> 3. you ask for .org information and it HAS to be signed, if it isn't signed or doesn't match, it's invalid.
> 
> and so on.

Yes

> So where can the records be stripped ?

It looked like Harish was running a setup where the forwarder was
stripping the records.  Because it did not have dnssec enabled, it
did not pass along the information that was necessary.

Noticing that information was stripped off, unbound then decided this
was a security failure.

Does this information help?

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkpMxfsACgkQkDLqNwOhpPissgCeJr0w0R7SGoYveycNplpBd3Kl
fh4AoKghjmNjNA4gA7LHPoRJEFdMDb4M
=+sCI
-----END PGP SIGNATURE-----