Value of a DNSSEC validating resolver
Petr Menšík
pemensik at redhat.com
Fri Feb 9 10:40:10 UTC 2024
Hello Mark,
allow me here to correct your statement. We spent in Red Hat some time
thinking and testing validating clients. Validating resolver is *not*
necessary for validating clients to work. They are better and
recommended, but not always necessary.
What is required is dnssec (security) awareness. Meaning that resolver
will fetch signatures for all queries with do=1 bit set. For example
even dnsmasq in default configuration will forward DNSSEC signatures to
all DNSSEC enabled queries. Also in cases dnssec validation is not
enabled in it. It is not strictly required fetching them for do=0 queries.
For example our office resolvers do not have validation enabled. But
they allow any clients using dnssec-trigger to validate all queries
themselves. And that works for majority of existing DNS caches.
What is required from bind9 is to have dnssec-enabled yes; That was
default even in 9.11 and this is the last version, where it is possible
to change it to dnssec-enabled no; Since 9.16 it is not possible to
configure it that way. In this case any validating client, be it end
station or dns forwarder, will fail all queries sent to it. Clients can
validate regardless dnssec-validation value is used, but they need do=1
answers to their do=1 queries.
Following chain of forwarders will still deliver non-bogus answers only.
fwd means forwarder only, not using root hints.
[root-servers]---[non-validating iterative]----[non-validating
fwd]---[validating fwd]--->(secure or unsigned answers only)
Validating client can refuse answer to dnssec-failed.org, even if the
recursive forwarder it is using did not check its validity. If it sends
you do=1 enabled answers, that is enough. You have to compute your own
SERVFAIL result, which validating upstream forwarder could have sent you
straight away. That that is the beauty of DNSSEC. Not everyone in the
chain needs to be doing crypto operations. But everyone in the chain
can, as long as crypto records are included.
delv +vtrace or unbound-host -rvD commands work even on non-validating,
but security aware resolvers.
And to answer original question. You store in cache only valuable
records, not bogus garbage. Having cache filled also with signatures
makes validation of your clients much faster, just RTT between you is
used, even when they validate.
Regards,
Petr
On 12/1/23 22:40, Mark Andrews wrote:
> A validating resolver is a prerequisite for validating clients to
> work. Clients don’t have direct access to the authoritative servers so
> the can’t retrieve good answers if the recursive servers don’t filter
> out the bad answers.
>
> Think of a recursive server as a town water treatment plant. You could
> filter and treat at every house and sometimes you still do like
> boiling water for baby formula but on the most part what you get out
> of it is good enough for consumption as is.
>
> --
> Mark Andrews
>
>> On 2 Dec 2023, at 08:14, John Thurston <john.thurston at alaska.gov> wrote:
>>
>>
>>
>> At first glance, the concept of a validating resolver seemed like a
>> good idea. But in practice, it is turning out to be a hassle.
>>
>> I'm starting to think, "If my clients want their answers validated,
>> they should do it." If they *really* care about the quality of the
>> answers they get, why should my clients be trusting *me* to validate
>> them?
>>
>> Can someone make a good case to me for continuing to perform DNSSEC
>> validation on my central resolvers?
>>
>> --
>> --
>> Do things because you should, not just because you can.
>>
>> John Thurston 907-465-8591
>> John.Thurston at alaska.gov
>> Department of Administration
>> State of Alaska
--
Petr Menšík
Software Engineer, RHEL
Red Hat, https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x4931CA5B6C9FC5CB.asc
Type: application/pgp-keys
Size: 9736 bytes
Desc: OpenPGP public key
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20240209/800fd00e/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20240209/800fd00e/attachment.sig>
More information about the bind-users
mailing list