Maintained by: NLnet Labs

[Unbound-users] Forwarding failing when DNSSec is enabled

Leen Besselink
Thu Jul 2 16:54:00 CEST 2009


On Thu, Jul 02, 2009 at 04:36:43PM +0200, W.C.A. Wijngaards wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi Leen,
> 
> On 07/02/2009 10:35 AM, Leen Besselink wrote:
> > Hi Wouter,
> > 
> > Usually I just lurk on this mailinglist, but this time I have a question about DNSSEC.
> > 
> > I'm not familair with all details of DNSSEC, but I thought it doesn't really matter all that much where
> > you get the DNSSEC information from, as long as you have a copy of the public root key or maybe
> > something from a DLV-system. You would be able to verify it all the way from the top down to the record
> > that you want to verify.
> 
> Yes, but you have to get the data from the server.
> DNSSEC does not conjure information out of thin air.
> 
> > A forwarded would then just be a cache, you could ask that forwarded to retrieve the right RR and you'd
> > be able to verify it.
> 
> Yes, if that forwarder gives along the signature with the data.
> If the forwarder takes away all the signatures, then with
> DNSSEC you detect that and the response is a security failure.
> 
> > This is what I always assumed, let's say the root is signed ( I assume with DLV it's kind of similair ):
> > 
> > 1. you know the root is signed, you have the public key (or whatever key material you need), you get
> > the right records and you verify these records. They can't be changed, otherwise the signatures wouldn't
> > match.
> 
> Yes.  And there is an expiration to tell you this was not
> a delayed repeat of old information.
> 
> > 2. It has a record that says .org is signed and it has to match with this key.
> 
> Yes
> 
> > 3. you ask for .org information and it HAS to be signed, if it isn't signed or doesn't match, it's invalid.
> > 
> > and so on.
> 
> Yes
> 
> > So where can the records be stripped ?
> 
> It looked like Harish was running a setup where the forwarder was
> stripping the records.  Because it did not have dnssec enabled, it
> did not pass along the information that was necessary.
> 
> Noticing that information was stripped off, unbound then decided this
> was a security failure.
> 
> Does this information help?
> 

Yes, it does take away my uncertainty about if I understand correctly how DNSSEC works.

It's not possible for Unbound to ask the forwarded for the specific record (I think it's something like KEY) ?

Or would a forwarder strip that also ?

Or would all these extra requests delay the whole thing far to much and is that a good reason not do it ?

> Best regards,
>    Wouter
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAkpMxfsACgkQkDLqNwOhpPissgCeJr0w0R7SGoYveycNplpBd3Kl
> fh4AoKghjmNjNA4gA7LHPoRJEFdMDb4M
> =+sCI
> -----END PGP SIGNATURE-----