DNSSEC and forward zones

Tue Nov 1 16:14:34 UTC 2011

Hello,

I have DNSSEC validation running on a caching name server which is working fine. In addition, I have tried to add an entry in the named.conf to forward lookups for a local Active Directory domain name used for testing purposes so we can easily resolve the handful of servers in this domain. This isn't working as I had expected. In digging into the problem, I found that DNSSEC is positively validating the NXDOMAIN response based on the signed NSEC record from the root servers for the lack of "internal" which obviously makes the resolution fail since NXDOMAIN is the valid answer... done, end of story. I thought the forwarder type would bypass this but apparently I am wrong. Is there some other way to handle this for non-existent domains just for testing purposes?

Relevant named.conf config:

zone "policydomain.internal" {
        type forward;
        forward only;
        forwarders { 192.168.50.10; };
};

DNSSEC debug output:

21-Oct-2011 15:32:10.435 dnssec: debug 3: validating @0x802cec700: policydomain.internal A: starting
21-Oct-2011 15:32:10.435 dnssec: debug 3: validating @0x802cec700: policydomain.internal A: attempting insecurity proof
21-Oct-2011 15:32:10.435 dnssec: debug 3: validating @0x802cec700: policydomain.internal A: checking existence of DS at 'internal'
21-Oct-2011 15:32:10.437 dnssec: debug 3: validating @0x802cec700: policydomain.internal A: in dsfetched2: ncache nxdomain
21-Oct-2011 15:32:10.437 dnssec: debug 3: validating @0x802cec700: policydomain.internal A: resuming proveunsecure
21-Oct-2011 15:32:10.437 dnssec: debug 3: validating @0x802cec700: policydomain.internal A: checking existence of DS at 'policydomain.internal'
21-Oct-2011 15:32:10.438 dnssec: debug 3: validating @0x802e06b00: policydomain.internal DS: starting
21-Oct-2011 15:32:10.438 dnssec: debug 3: validating @0x802e06b00: policydomain.internal DS: attempting negative response validation
21-Oct-2011 15:32:10.438 dnssec: debug 3: validating @0x802e06b00: policydomain.internal DS: in authvalidated
21-Oct-2011 15:32:10.438 dnssec: debug 3: validating @0x802e06b00: policydomain.internal DS: resuming nsecvalidate
21-Oct-2011 15:32:10.439 dnssec: debug 3: validating @0x802e06b00: policydomain.internal DS: in authvalidated
21-Oct-2011 15:32:10.439 dnssec: debug 3: validating @0x802e06b00: policydomain.internal DS: looking for relevant nsec
21-Oct-2011 15:32:10.439 dnssec: debug 3: validating @0x802e06b00: policydomain.internal DS: ignoring nsec because name is past end of range
21-Oct-2011 15:32:10.439 dnssec: debug 3: validating @0x802e06b00: policydomain.internal DS: resuming nsecvalidate
21-Oct-2011 15:32:10.439 dnssec: debug 3: validating @0x802e06b00: policydomain.internal DS: in authvalidated
21-Oct-2011 15:32:10.439 dnssec: debug 3: validating @0x802e06b00: policydomain.internal DS: looking for relevant nsec
21-Oct-2011 15:32:10.439 dnssec: debug 3: validating @0x802e06b00: policydomain.internal DS: nsec range ok
21-Oct-2011 15:32:10.439 dnssec: debug 3: validating @0x802e06b00: policydomain.internal DS: resuming nsecvalidate
21-Oct-2011 15:32:10.439 dnssec: debug 3: validating @0x802e06b00: policydomain.internal DS: in checkwildcard: *
21-Oct-2011 15:32:10.439 dnssec: debug 3: validating @0x802e06b00: policydomain.internal DS: looking for relevant nsec
21-Oct-2011 15:32:10.439 dnssec: debug 3: validating @0x802e06b00: policydomain.internal DS: nsec range ok
21-Oct-2011 15:32:10.439 dnssec: debug 3: validating @0x802e06b00: policydomain.internal DS: nonexistence proof(s) found
21-Oct-2011 15:32:10.439 dnssec: debug 3: validating @0x802cec700: policydomain.internal A: in dsfetched2: ncache nxdomain
21-Oct-2011 15:32:10.439 dnssec: debug 3: validating @0x802cec700: policydomain.internal A: resuming proveunsecure
21-Oct-2011 15:32:10.439 dnssec: debug 3: validating @0x802cec700: policydomain.internal A: insecurity proof failed

Thanks!

-Vinny