proper setup of dnssec-validation to _always_ resolve, and retrieve DATA and status flags ?
dchilton+bind at bestmail.us
dchilton+bind at bestmail.us
Tue May 10 02:32:40 UTC 2011
Hi.
My bind v980-p1 svr is DNSSEC-enabled, and signed zones are publishing
as DNSSEC-valid.
I've both internal and external views:
-- internal is authoritative and provides recursion for LAN clients
-- external serves only as an authoritative hidden-primary feeding
slaves via AXFR.
all good.
if i enable DNSSEC validation in the internal view, having imported the
trusted key for the root, for known-good domains, a 'dig domain.com'
returns DATA as expected, e.g.,
dig pir.org | egrep "IN.*A|;; flags"
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4,
ADDITIONAL: 0
;pir.org. IN A
pir.org. 75 IN A 173.201.238.128
dig pir.org +dnssec | egrep "IN.*A|;; flags"
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 5,
ADDITIONAL: 1
;pir.org. IN A
pir.org. 95 IN A 173.201.238.128
pir.org. 95 IN RRSIG A 5 2 300
20110523085011 20110509085011 38939 pir.org.
LLK3y1HXm3/F3Tvq/b/cW4jnQC6gxtYlalPhM28w3tUzo2wS482vaWQr
RF1DBvGTUD4uADNidjaftjkch7b2H1b+e5V4o0xQml/WpqCW/VqgLgxI
g/yIg9WhP1Ec8uvWG2Ojy0ZIM0JKBBfFFlIxZVYqCyrY8WittyUOFlwo O48=
pir.org. 95 IN RRSIG NS 5 2 300
20110523085011 20110509085011 38939 pir.org.
yUKJARGNwBWKFTi1V1nU5x38vcQrYPSn86G5MzjyMBjUWwZ3zZ4E+OMz
P8svjTEdwKd6ibQGAp7aVEcqE3ruCnioqaXCZJsjT6YCaTpIjUMmRvpj
tZUByl11+aqfcJuvfTNOo2PFtzRDv46vAlbZFf74fAK4AwNQa42OZlZC WVc=
for known-bad domains 'dig domain.com' hesitates for a bit, then returns
SERVFAIL -- no DATA.
dig www.adobe.com
; <<>> DiG 9.8.0-P1 <<>> www.adobe.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 26024
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0,
ADDITIONAL: 0
;; QUESTION SECTION:
;www.adobe.com. IN A
;; Query time: 2948 msec
;; SERVER: 10.10.10.100#53(10.10.10.100)
;; WHEN: Mon May 9 12:21:28 2011
;; MSG SIZE rcvd: 31
my understanding was that a 'dig domain.com +dnssec' on a known-bad
domain would return DATA without the SERVFAIL, but it returns the same.
e.g.,
dig www.adobe.com +dnssec
; <<>> DiG 9.8.0-P1 <<>> www.adobe.com +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 4667
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0,
ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.adobe.com. IN A
;; Query time: 69 msec
;; SERVER: 10.10.10.100#53(10.10.10.100)
;; WHEN: Mon May 9 12:21:32 2011
;; MSG SIZE rcvd: 42
Shouldn't the "+dnssec" case for known-bad be returning DATA?
Also, I'm unlcear about the proper use for validation. I *want* to
validate, but have the DATA nonetheless returned, with appropriate FLAGS
so that, e.g., Firefox + DNSSEC-extension can (1) resolve the domain,
and (2) 'report' the DNSSEC state in-browser.
The way things are working now, with validation enabled and NO DATA
returned, domains simply don't resolve at all -- and, of course, the
browser displays a failure.
Is my expected usage _not_ appropriate?
THanks,
DCh
More information about the bind-users
mailing list