Bug in Bind 9.8 or am I doing something wrong?

Tue Sep 6 21:22:01 UTC 2011

Lyle: If I understand your issue correctly, it is one that I also experienced when using a Windows 2008 R2 DNS server to forward to a BIND 9.8.0 recursive resolver configured to perform DNSSEC validation. By default Windows 2008 R2 DNS forwards queries with the CD flag set in the query, and it includes the OPT pseudo-resource record with the DO bit set. The meaning of this to the BIND resolver is supposed to be "don't bother checking DNSSEC validity" (CD bit set) and return DNSSEC information (DO bit set). Unfortunately Windows can't do its own DNSSEC validity checking since there is no way to successfully configure trust anchors, i.e. Windows DNS isn't really ready for DNSSEC prime time. Thus BIND returns answers to Windows even if DNSSEC validation would have failed.

You can alter these unfortunately configured flags in Windows DNS queries using the command:
dnscmd /config /EnableEDnsProbes 0

The effect of this is to cause the Windows DNS server to send its queries without the OPT pseudo-resource record in the Additional Records section of the query. Thus there is no DO bit set, and as a fortunate side effect, the CD flag in the standard DNS query flags field is cleared as well.

Under these circumstances, BIND will do DNSSEC validation properly as long as you have "dnssec-validation auto;" in the configuration. It will return proper SERVFAIL responses to Windows if DNSSEC validation fails.

See "Dnscmd" at http://technet.microsoft.com/en-us/library/cc772069(WS.10).aspx for further details.

Hope this is relevant and helpful. Jeff.

Jeffry A. Spain
Network Administrator
Cincinnati Country Day School

-----Original Message-----
From: bind-users-bounces+spainj=countryday.net at lists.isc.org [mailto:bind-users-bounces+spainj=countryday.net at lists.isc.org] On Behalf Of Lyle Giese
Sent: Tuesday, September 06, 2011 9:56 AM
To: bind-users at isc.org
Subject: Bug in Bind 9.8 or am I doing something wrong?

I was following Mark Andrew's discussion with a user about DNSSEC and 
played with it here and found an issue.  Not sure if I am doing 
something wrong or if there is a bug somewhere.

We have a Windows AD domain and use Bind 9.8 on our Linux servers for 
most DNS resolution.  In order to politely setup things, I forwarded the 
queries for AD zones to the Windows server:

zone "chaseprod.local"{
	type forward;
	forwarders {10.0.100.205;};};

This seemed to work until I added some stuff for DNSSEC to my named.conf.

In the global option section, I have:

	dnssec-enable yes;
	dnssec-validation auto;
	dnssec-lookaside auto;

And as a general option, I added:

include "/etc/bind.keys";

Under Bind 9.8.0-P4 and Bind 9.8.1 (compiled from source with no special 
options under SLES 10), resolution of a valid record in the forwarded 
zone fails when I added the above dnssec options: