l...@consolejunkie.net wrote:
On 2015-04-24 21:35, Michael Ströder wrote:Michael Ströder wrote:We're currently testing DNSSEC validation with libunbound 1.5.3 with all the RRs retrieved through a pdns-recursor (also tested 3.7.2).It seems that 1. libunbound does not explicitly retrieve the RRSIG RRs and 2. pdns-recursor does not return them when not explicitly request (qtype ANY). (Explicitly requesting RRSIG works.) => validation in libunbound failsDid further testing with python-unbound (thin wrapper module on top of libunbound) with simple script almost equal to this: http://www.unbound.net/documentation/pyunbound/examples/example4.html Looking at PCAP dumps with Wireshark the requests sent by libunbound contain the D0 bit: 1... .... .... .... = DO bit: Accepts DNSSEC security RRs It seems to me that unbound and Google's 8.8.8.8 therefore return RRSIG RRs while pdns-recursor does not. I have to admit that looking at [1] rather confuses me. ;-) Sniffing the out-going requests sent by pdns-recursor the D0 bit is missing. Obviously the DNS servers then do not respond with RRSIG RRs. Ciao, Michael. [1] http://tools.ietf.org/html/rfc4035#section-3.2.1It's to bad nobody replied to you yet.
Given my last posting was late in the evening your response is pretty quick. :-)
Let me tell how it is: The DO-bit in the request to the recursor means: please include DNSSEC information.
Yes.
Then if the recursor you are requesting it from does validation and it fails it will return an error similar to domain not found.
Actually I'm using python-unbound (mainly libunbound) for the validation but would like to use the existing pdns-recursor for simply retrieving the RRs.
But since the D0 bit is not forwarded it does not get the RRSIG RRs back and returns the result with validation status "bogus".
http://blog.powerdns.com/2013/09/16/dnssec-validation-for-the-recursor/ If I understand correctly the PowerDNS developers have put in some of the time to add DNSSEC to their recursor but it isn't done yet.
Already saw this blog article before. I'm looking forward to pdns-recursor 4.x because I like its logging more than that of other recursors.
In the past I've requested from the PowerDNS developers, would it be possible to at least include the DNSSEC-information so Unbound do the validation. I told them you can leave the validation out of PowerDNS-recursor, I care less about that. The answer I got was: The validation is in comparison the easy part, changing the recursor to return the DNSSEC-information is more work.
Hmm, but if explicitly requested in the query pdns-recursor does actually retrieve the RRSIG RRs.
Wouldn't it be possible to also send the D0 bit in the out-going query if the incoming query had it set?
Ciao, Michael.
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
