[Pdns-users] Recursor: Response looses AD flag if Lua script hook returns true

Sat, 28 Mar 2020 09:35:00 -0700 

Hi there!

We use PowerDNS Recursor to intercept certain lookups and return values 
from a database instead. Therefore we use the Luad scripting capability. 
Now we noticed that requests with DNSSEC lose the set AD flag when a hook 
in the script of the request is marked as "handled" (by returning "true"). 
I don't know if this by design (which I can imagine), or if we are missing 
something.

Script to reproduce (reduced to the minimum):

function postresolve(dq)
        print("postresolve called for ",dq.qname:toString())
        local header = dq:getDH()
        print("DNSHeader:getAD(): "..(header:getAD() and "true" or 
"false"))
        print("Validation state: "..dq.validationState)
        return true
end

Command to test (with any DNSSEC-enabled domain):

dig A www.denic.de


Dig result (AD flag is missing):

; <<>> DiG 9.11.5-P4-5.1-Debian <<>> A www.denic.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32508
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.denic.de.                  IN      A

;; ANSWER SECTION:
www.denic.de.           3598    IN      A       81.91.170.12

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Mar 28 16:21:40 UTC 2020
;; MSG SIZE  rcvd: 57


Output in system log:

pdns_recursor[1221]: postresolve called for         www.denic.de.
pdns_recursor[1221]: DNSHeader:getAD(): true
pdns_recursor[1221]: Validation state: 3   (<-- Secure)


resolv.conf:

dnssec=process
lua-dns-script=/etc/powerdns/myscript.lua


However, if we disable the hook in the Lua script (rename method) or 
return false, we get the AD flag correctly:

dig A www.denic.de

; <<>> DiG 9.11.5-P4-5.1-Debian <<>> A www.denic.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10268
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.denic.de.                  IN      A

;; ANSWER SECTION:
www.denic.de.           3600    IN      A       81.91.170.12

;; Query time: 41 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Mar 28 16:22:04 UTC 2020
;; MSG SIZE  rcvd: 57


I would appreciate any help.

Kind regards,
Simon

_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Reply via email to