Providing AD flag for authoritative domains
Nick Tait
nick at tait.net.nz
Sat Dec 24 09:28:05 UTC 2022
On 23/12/2022 2:30 am, Jesus Cea wrote:
> Is there any way to configure bind to verify DNSSEC integrity and
> signal the AD flag for authoritative domains?. Views (it would lose
> the AA flag, then)?
>
> What would be the best practice for dnssec verification? To use a
> fully validating local resolver? Any other choice? I am currently
> using a local "bind" as a resolver and it works fine for DNSSEC
> verification, except for my authoritative domains.
Yes you can use views to effectively separate the concerns of the
recursive resolver function from the authoritative server, without
having to deploy extra servers. For example:
view "resolver" {
# Match criteria
match-clients { ... };
match-recursive-only yes;
zone "example.com" {
type static-stub;
server-addresses { ::1; };
};
include "/etc/bind/named.conf.default-zones";
};
view "authority" {
# View settings
empty-zones-enable no;
recursion no;
allow-recursion { none; };
rate-limit {
responses-per-second 5;
window 5;
};
zone "example.com" {
...
};
};
The idea here is that a recursive query (received from an 'internal'
address covered by the match-clients criteria) will be handled by the
/resolver/ view, which will use the static-stub zone to query (via
loopback address) the /authority/ view, which is authoritative for the
example.com zone. Provided the answer from the /authority/ view is
DNSSEC signed and the /resolver/ view can successfully validate the
signature, then the answer returned by the /resolver/ view to the
original client performing the recursive query includes the AD flag (but
not the AA flag).
It could actually work without the static-stub zone, but I prefer to
keep this to stop the /resolver/ view from sending the queries to a
different (authoritative) server.
Nick.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20221224/dd0b0ff1/attachment.htm>
More information about the bind-users
mailing list