> On 2 May 2022, at 12:28, J Doe <gene...@nativemethods.com> wrote: > > On 2022-04-29 01:18, Mark Andrews wrote: > >> break-dnssec is about if the client could detect the re-write or not using >> DNSSEC. If the client has DO=1 in the request and the normal response is >> signed then rewrites can be detected. If break-dnssec is ’no’ the rewrite >> will be prevented. If break-dnssec is ‘yes’ then the rewrite will occur. >> the world <-> recursive server rpz w/ break-dnssec no <-> recursive server >> rpz w/ break-dnssec no or yes; >> | | >> non dnssec client non >> dnssec client >> You don’t want the second recursive server to spend all its time re-asking >> queries that will fail validation >>> On 29 Apr 2022, at 11:24, J Doe <gene...@nativemethods.com> wrote: >>> >>> Hi, >>> >>> I am configuring an RPZ for a validating resolver. I read in the BIND >>> 9.18.2 ARM that there is a boolean option for RPZ zones called: >>> break-dnssec. >>> >>> The ARM states: >>> >>> ...In that case, RPZ actions are applied regardless of DNSSEC. >>> The name of the clause option reflects the fact that results >>> rewritten by RPZ actions cannot verify. >>> >>> In my particular scenario, I want to use RPZ to give NXDOMAIN results for >>> certain domain names that I don't want accessible. So for normal queries >>> without DNSSEC validation requested and for queries with DNSSEC validation >>> requested for a domain name I am _not_ blocking, I want the lookups to work >>> (ie: don't validate when validation not requested, validate when validation >>> requested). >>> >>> When a client attempts to lookup a domain name that _is_ blocked by RPZ, I >>> want the domain name blocked ... whether or not they requested DNSSEC >>> validation. >>> >>> Am I correct that: break-dnssec yes comes into play only if a client >>> attempts to resolve a DNSSEC secured domain name I _am_ blocking in RPZ ? >>> >>> So for instance... >>> >>> 1. Client requests no validation for example.com which is not in RPZ and >>> gets normal result. >>> >>> 2. Client requests validation for example.com which is not in RPZ and gets >>> validated result. >>> >>> 3. Client requests no validation for evil.com which is in RPZ and gets >>> NXDOMAIN result. >>> >>> 4. Client requests validation for evil.com which is in RPZ and gets >>> NXDOMAIN result with broken DNSSEC validation due to rewrite. >>> >>> This would mean that: break-dnssec yes: >>> >>> ...only breaks DNSSEC validation for evil.com because it is re-written >>> ...does NOT break DNSSEC validation for sites _NOT_ in RPZ that use DNSSEC >>> (ie: ietf.org). >>> >>> Is that correct ? >>> >>> Thanks, >>> >>> - J > > Hi Mark, > > Thanks for your reply! I think I might have done a poor job asking my > questions, which may have introduced some confusion - apologies. My brain is > still chewing on this! > > In this particular scenario, I have one validating resolver. The diagram > would be: > > Client (PC, mail server, etc.) -> My resolver -> The world > > What I was wondering is if I configure my validating resolver to use: > break-dnssec yes, does that mean that DNSSEC validation is broken for _ALL_ > queries ?
No. Just those that are changed and which where signed and the client asks with DO=1 in the EDNS flags. > I am thinking that this applies only when a client computer queries my > validating resolver and wants to know if DNSSEC is valid on a query that my > resolver has changed via RPZ. Because RPZ modified the data it can no longer > validate. > > So the client queries my resolver for DNSSEC validity for a server that is > _NOT_ covered by my RPZ policy ... validation should _NOT_ break in that > circumstance, right ? yes. > Thanks, > > - J -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
