DNSSEC and forwarding

Mark Andrews marka at isc.org
Thu Apr 14 03:26:05 UTC 2022 


> On 14 Apr 2022, at 01:02, Duchscher, Dave J via bind-users <bind-users at lists.isc.org> wrote:
> 
> 
>> On Apr 13, 2022, at 12:00 AM, Grant Taylor via bind-users <bind-users at lists.isc.org> wrote:
>> 
>> This Message Is From an External Sender
>> This message came from outside your organization.
>> On 4/12/22 7:18 PM, Duchscher, Dave J via bind-users wrote:
>>> We are dropping this configuration and looking at doing something else.
>> 
>> I'm sorry to hear that.
>> 
>>> We have had intermittent issues with Slack, Microsoft, and a growing 
>>> list of domains. Even have one that consistently fails.
>> 
>> Are you able to share any specific details / examples so that others can 
>> see an example of what to loo out for?
> 
> Sure.
> 
> Just to clear, the setup looks like this:
> 
>  Internal DNS --> DMZ DNS Cache -> World
> 
> Internal DNS is forward only.  Only internal DNS allowed on the DNS
> cache systems.  DNSSEC validation can be enabled or disabled on the
> cache systems since named always sets the check disabled flag when
> forwarding. This also means that you can't forward to an upstream
> DNS system and have it do the DNSSEC validation. Wish there was a
> way to turn this off or if it would only set the check disabled
> flag when DNSSEC validation is enabled.
> 
> Failures mode is that everything looks to work and then a domain
> will stop resolving.  Sometimes we get timeouts, sometimes SERVFAIL,
> and other times NXDOMAIN.
> 
> On a test setup with fresh restart, these domains always fail.
> 
>    cybr.club

This at least, in part, is because cybr.club returns a CNAME for
cybr.club/DS.  Both DS and CNAME should not exist at top of zone.

% dig cybr.club ds @dns2.registrar-servers.com

; <<>> DiG 9.17.22 <<>> cybr.club ds @dns2.registrar-servers.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10964
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;cybr.club.			IN	DS

;; ANSWER SECTION:
cybr.club.		1799	IN	CNAME	d2vd625ao8btyl.cloudfront.net.

;; Query time: 27 msec
;; SERVER: 156.154.133.200#53(dns2.registrar-servers.com) (UDP)
;; WHEN: Thu Apr 14 12:59:10 AEST 2022
;; MSG SIZE  rcvd: 81

%

Part also because named doesn’t retry on validation failure with CD=0 and
we haven’t done enough real life testing involving forwarders.

Returning CNAME to a DS query is fine except when the QNAME is the apex of
a zone which makes detecting this sort of breakage hard.

The simplest fix is to not send CD=1 queries unless the client requests it.

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index c8724f68ba..6b7a95178b 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -2433,29 +2433,12 @@ resquery_send(resquery_t *query) {
        }
 
        /*
-        * Set CD if the client says not to validate, or if the
-        * question is under a secure entry point and this is a
-        * recursive/forward query -- unless the client said not to.
+        * Set CD if the client says not to validate.
         */
        if ((query->options & DNS_FETCHOPT_NOCDFLAG) != 0) {
                /* Do nothing */
        } else if ((query->options & DNS_FETCHOPT_NOVALIDATE) != 0) {
                fctx->qmessage->flags |= DNS_MESSAGEFLAG_CD;
-       } else if (res->view->enablevalidation &&
-                  ((fctx->qmessage->flags & DNS_MESSAGEFLAG_RD) != 0))
-       {
-               bool checknta = ((query->options & DNS_FETCHOPT_NONTA) == 0);
-               bool ntacovered = false;
-               result = issecuredomain(res->view, fctx->name, fctx->type,
-                                       isc_time_seconds(&query->start),
-                                       checknta, &ntacovered, &secure_domain);
-               if (result != ISC_R_SUCCESS) {
-                       secure_domain = false;
-               }
-               if (secure_domain ||
-                   (ISFORWARDER(query->addrinfo) && ntacovered)) {
-                       fctx->qmessage->flags |= DNS_MESSAGEFLAG_CD;
-               }
        }
 
        /*

Note just saying something is broken without giving details actually makes it
next to impossible to diagnose what is going wrong.  This email was the first
message where you specified failing names.

>    am-explorer.com
>    simutext.com
>    simutext2.com
> 
> These domains fail randomly and we have not been able to produce
> the failure.
> 
>    a.slack-edge.com
>    portal.azure.com
>    rex-sftp.bncollege.com
> 
> There is also our teams and sharepoint domains but rather not put
> them here.
> 
> I hope this helps. Needless to say, it has been a frustration
> situation.
> --
> Dave
> 
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the bind-users mailing list