DNSSEC support in libbind
Simon Vallet
svallet at genoscope.cns.fr
Mon Feb 19 10:59:17 UTC 2007
Hi,
we're currently trying to make use of RFC4255 SSHFP RR on linux
clients. As glibc does not support DNSSEC (yet ?), the ssh client was
linked against libbind instead of libresolv.
However, I'm hitting a problem trying to fetch the RRSIG records
(libbind from 9.3.4, with RES_OPTIONS="debug edns0"):
;; res_setoptions("edns0 debug", "env")...
;; debug
;; res_query(etna.genoscope.cns.fr, 1, 44)
;; res_nmkquery(QUERY, etna.genoscope.cns.fr, IN, TYPE44)
;; res_nopt()
;; res_send()
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42216
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; etna.genoscope.cns.fr, type = TYPE44, class = IN
; EDNS: version: 0, udp=0, flags=0000
It appears the DO bit is not set here, so the server doesn't include
the relevant RRs in the reply
If I try to force usage of DNSSEC (quick-and-dirty source
modification), this is what I get:
;; res_setoptions("edns0 debug dnssec", "env")...
;; debug
;; res_query(etna.genoscope.cns.fr, 1, 44)
;; res_nmkquery(QUERY, etna.genoscope.cns.fr, IN, TYPE44)
;; res_nopt()
;; res_opt()... ENDS0 DNSSEC
;; res_send()
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3821
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; etna.genoscope.cns.fr, type = TYPE44, class = IN
; EDNS: version: 0, udp=0, flags=8000
The DO bit is set, and the server does return RRSIG records, however :
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3821
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 7
;; etna.genoscope.cns.fr, type = TYPE44, class = IN
etna.genoscope.cns.fr. 2D IN TYPE44 \# 22 ( ; unknown RR type
[...]
etna.genoscope.cns.fr. 2D IN TYPE46 \# 164 (; unknown RR type
[...]
; EDNS: version: 0, udp=4096, flags=8000
debug1: found 1 insecure fingerprints in DNS
So it seems the resolver does not recognize the RRSIG RR for some
reason...
Any hint ?
Simon
--
Simon Vallet
Ingénieur Systèmes/Réseaux
Genoscope / CNRG
Tél. : 01 60 87 36 06
E-mail : svallet at genoscope.cns.fr
More information about the bind-users
mailing list