BIND 9.18.2 break-dnssec question

Mon May 2 02:28:30 UTC 2022

On 2022-04-29 01:18, Mark Andrews wrote:

> break-dnssec is about if the client could detect the re-write or not using DNSSEC.  If the client has DO=1 in the request and the normal response is signed then rewrites can be detected. If break-dnssec is ’no’ the rewrite will be prevented.  If break-dnssec is ‘yes’ then the rewrite will occur.
> 
> 
> the world <-> recursive server rpz w/ break-dnssec no <-> recursive server rpz w/ break-dnssec no or yes;
>                              |                                            |
>                        non dnssec client                            non dnssec client
> 
> You don’t want the second recursive server to spend all its time re-asking queries that will fail validation
> 
>> On 29 Apr 2022, at 11:24, J Doe <general at nativemethods.com> wrote:
>>
>> Hi,
>>
>> I am configuring an RPZ for a validating resolver.  I read in the BIND 9.18.2 ARM that there is a boolean option for RPZ zones called: break-dnssec.
>>
>> The ARM states:
>>
>>     ...In that case, RPZ actions are applied regardless of DNSSEC.
>>     The name of the clause option reflects the fact that results
>>     rewritten by RPZ actions cannot verify.
>>
>> In my particular scenario, I want to use RPZ to give NXDOMAIN results for certain domain names that I don't want accessible.  So for normal queries without DNSSEC validation requested and for queries with DNSSEC validation requested for a domain name I am _not_ blocking, I want the lookups to work (ie: don't validate when validation not requested, validate when validation requested).
>>
>> When a client attempts to lookup a domain name that _is_ blocked by RPZ, I want the domain name blocked ... whether or not they requested DNSSEC validation.
>>
>> Am I correct that: break-dnssec yes comes into play only if a client attempts to resolve a DNSSEC secured domain name I _am_ blocking in RPZ ?
>>
>> So for instance...
>>
>> 1. Client requests no validation for example.com which is not in RPZ and gets normal result.
>>
>> 2. Client requests validation for example.com which is not in RPZ and gets validated result.
>>
>> 3. Client requests no validation for evil.com which is in RPZ and gets NXDOMAIN result.
>>
>> 4. Client requests validation for evil.com which is in RPZ and gets NXDOMAIN result with broken DNSSEC validation due to rewrite.
>>
>> This would mean that: break-dnssec yes:
>>
>> ...only breaks DNSSEC validation for evil.com because it is re-written
>> ...does NOT break DNSSEC validation for sites _NOT_ in RPZ that use DNSSEC (ie: ietf.org).
>>
>> Is that correct ?
>>
>> Thanks,
>>
>> - J

Hi Mark,

Thanks for your reply!  I think I might have done a poor job asking my 
questions, which may have introduced some confusion - apologies.  My 
brain is still chewing on this!

In this particular scenario, I have one validating resolver.  The 
diagram would be:

Client (PC, mail server, etc.) -> My resolver -> The world

What I was wondering is if I configure my validating resolver to use: 
break-dnssec yes, does that mean that DNSSEC validation is broken for 
_ALL_ queries ?

I am thinking that this applies only when a client computer queries my 
validating resolver and wants to know if DNSSEC is valid on a query that 
my resolver has changed via RPZ.  Because RPZ modified the data it can 
no longer validate.

So the client queries my resolver for DNSSEC validity for a server that 
is _NOT_ covered by my RPZ policy ... validation should _NOT_ break in 
that circumstance, right ?

Thanks,

- J