rbldnsd and DNSSEC compatibility issues - any suggestions?

Rob McEwen rob at invaluement.com
Thu Sep 10 15:56:07 UTC 2020 

I manage an anti-spam DNSBL and I've been running into an issue in 
recent years - that I'm FINALLY getting around to asking about. I just 
joined this list to ask this question. Also, I checked the archives, but 
couldn't find an answer - at least, not one I understood.

So basically, while most of our users do direct queries and don't have 
this issue - some of our larger subscribers RSYNC the rbldsnd-formatted 
files, and then they typically run rbldnsd on the same server as their 
BIND server that is answering their DNSBL queries. Then, their 
invaluement zone names will all end with "invaluement.local". Typically, 
their RBLDNSD server is set up to listen on 127.0.0.2 - and then they 
use BIND for answering their DNSBL queries, and so they tell BIND to get 
its answers for THOSE invaluement dnsbl queries by doing a DNS 
forwarder, telling bind to get the answers for THOSE zones from 
127.0.0.2 - as shown below:

zone "invaluement.local" in {
   type forward;
   forward only;
   forwarders { 127.0.0.2; };
};

This works perfectly - so long as DNSSEC is turned off. And since most 
of our subscribers are running a dedicated instance of BIND that is ONLY 
used for DNSBL queries, they don't mind turning DNSSEC off.

But, occasionally, we have a customer who cannot turn DNSSEC off. So I 
was hoping that THIS command would work:

dnssec-must-be-secure "invaluement.local" no;

But it doesn't seem to be helping at all. Is that command suppose to 
disable DNSSEC checking for a particular zone? If yes, what did I do 
wrong? If not, what /does/ "dnssec-must-be-secure" set to "no" do?

I've heard that there is NOT a way to get this to work - and that such 
subscribers much use DNS Delegation, instead. But I really wish this 
could be done by simply turning off DNSSEC for a /particular/ zone. That 
could be useful for MANY various types of internal zones that need this. 
But if this is that case, how would that DNS Delegation look, to get the 
above forwarding example to work using delegation instead?

Thanks in advance for your help!

-- Rob McEwen, invaluement

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200910/9fcdd5ab/attachment.htm>

More information about the bind-users mailing list