Hi Stephane, On 2/29/20 1:55 PM, Stephane Bortzmeyer via dnsdist wrote: > I run a DoH and DoT resolver with dnsdist. The backend resolvers > validate (I can test them with dig and see the AD bit.) But dnsdist > returns the AD bit to the client only when the client uses the DO > bit. (Unlike, for instance, Unbound, or Cloudflare's 1.1.1.1, which > always return AD if the domain validates, regardless of DO.) > > Is it on purpose? I don't see why. > > RFC 6840 mentions this behavior only for the case when the *client* > uses the AD bit.
How are you testing exactly? More importantly, do your DoH and DoT queries have the AD or DO bits set? Be careful that recent versions of dig are setting AD=1 by default but a lot of DoH and DoT clients aren't. dnsdist itself doesn't set or unset the AD bit unless asked to do so, be it on queries or responses. It does however add an EDNS OPT RR with DO=0 in some cases (EDNS Client Subnet was requested in the configuration or via Lua/rules, for DoH queries in order to advertise support for large answers to the backend) if there was none in the initial query. Most of the resolvers I know of abide by the rules defined in section 5.8 of rfc6840[1]: "In order to interoperate with legacy stub resolvers and middleboxes that neither understand nor ignore the AD bit, validating resolvers SHOULD only set the AD bit when a response both meets the conditions listed in Section 3.2.3 of [RFC4035], and the request contained either a set DO bit or a set AD bit." Therefore they only return AD=1 on validated answers if the query had either AD=1 or DO=1. If I add the following line to doh-client.py[2], for example, I do get an AD bit from dnsdist over DoH: message.flags |= dns.flags.AD It also works if I set want_dnssec=True on the call to dns.message.make_query(), in order for the initial query to have the DO bit set. [1]: https://tools.ietf.org/html/rfc6840#section-5.8 [2]: https://www.bortzmeyer.org/files/doh-client.py Best regards, -- Remi Gacogne PowerDNS.COM BV - https://www.powerdns.com/
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dnsdist mailing list [email protected] https://mailman.powerdns.com/mailman/listinfo/dnsdist
