BIND chasing DNSKEY breaks island-of-trust zone
Daniel Stirnimann
daniel.stirnimann at switch.ch
Mon Oct 22 09:25:19 UTC 2018
Hello all,
DNSSEC validating BIND resolver could not resolve cdn.ckeditor.com.
Meanwhile the zone owner "fixed" the problem and the domain name can be
resolved again. However, I wonder if BIND should do better for an
island-of-trust zone.
BIND resolver:
(1) ask upstream com. servers for cdn.ckeditor.com. A
receive delegation NSset and NSEC3 proof that this is an
insecure delegation
(2) ask 216.87.155.33 (dns1.registrar-servers.com) for
cdn.ckeditor.com. A
receive CNAME to d3vxtqk803u6i6.cloudfront.net. and RRSIG
;; ANSWER SECTION:
cdn.ckeditor.com. 3600 IN CNAME d3vxtqk803u6i6.cloudfront.net.
cdn.ckeditor.com. 3600 IN RRSIG CNAME 13 3 3600 20181025000000
20181004000000 65395 ckeditor.com.
vobyFapYElhr25pc0gCuCvB6vf4bEMvmQA5IaWeZQ25dfp5qv0LqyLAf
Man+ukIrEKw7qtDWrJF1JXM9vXFeow==
(3) ask 216.87.155.33 (dns1.registrar-servers.com) for
ckeditor.com. DNSKEY
receive CNAME to d3vxtqk803u6i6.cloudfront.net. and RRSIG.
Invalid answer. BIND returns SERVFAIL to client and logs:
lame-servers: info: broken trust chain resolving
'cdn.ckeditor.com/A/IN': 216.87.155.33#53
The main problem is that ckeditor.com. has a CNAME at zone apex.
However, what triggered this error is in fact that cdn.ckeditor.com.
contained an RRSIG which BIND tried to validate. Meanwhile the zone
owner disabled DNSSEC which prevents BIND from chasing the DNSKEY and
the domain name resolves again. However, I'm wondering if BIND should
not SERVFAIL for an island-of-trust zone when it can not chase the
DNSKEY. Is this something to improve upon?
Daniel
More information about the bind-users
mailing list