Providing AD flag for authoritative domains

Nick Tait nick at tait.net.nz
Sat Dec 24 09:28:05 UTC 2022 

On 23/12/2022 2:30 am, Jesus Cea wrote:
> Is there any way to configure bind to verify DNSSEC integrity and 
> signal the AD flag for authoritative domains?. Views (it would lose 
> the AA flag, then)?
>
> What would be the best practice for dnssec verification? To use a 
> fully validating local resolver? Any other choice? I am currently 
> using a local "bind" as a resolver and it works fine for DNSSEC 
> verification, except for my authoritative domains. 

Yes you can use views to effectively separate the concerns of the 
recursive resolver function from the authoritative server, without 
having to deploy extra servers. For example:

view "resolver" {
         # Match criteria
         match-clients { ... };
         match-recursive-only yes;

         zone "example.com" {
                 type static-stub;
                 server-addresses { ::1; };
         };

         include "/etc/bind/named.conf.default-zones";
};

view "authority" {
         # View settings
         empty-zones-enable no;
         recursion no;
         allow-recursion { none; };
         rate-limit {
                 responses-per-second 5;
                 window 5;
         };

         zone "example.com" {
             ...
         };
};

The idea here is that a recursive query (received from an 'internal' 
address covered by the match-clients criteria) will be handled by the 
/resolver/ view, which will use the static-stub zone to query (via 
loopback address) the /authority/ view, which is authoritative for the 
example.com zone. Provided the answer from the /authority/ view is 
DNSSEC signed and the /resolver/ view can successfully validate the 
signature, then the answer returned by the /resolver/ view to the 
original client performing the recursive query includes the AD flag (but 
not the AA flag).

It could actually work without the static-stub zone, but I prefer to 
keep this to stop the /resolver/ view from sending the queries to a 
different (authoritative) server.

Nick.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20221224/dd0b0ff1/attachment.htm>

More information about the bind-users mailing list