Re: [Pdns-users] pdns-recursor 4.0.0~alpha3-1 - no DNSSEC answer?
Hi Leen, On Fri, 20 May 2016 10:08:51 +0200 l...@consolejunkie.net wrote: > I've been wondering about this, I haven't tried the new recursor yet. > So to make it more clear: > If you enable DNSSEC-processing of the recursor and nothing is cached > and you request something without DO-bit set does it do > DNSSEC-processing or not ? In process-mode, the recursor always sends out queries with the DO-bit set (so this data is in the cache) and strips DNSSEC records in the reply to the client when the client does not set the DO-bit. And if the client does not set the AD-bit it will not validate, so it might return bogus data in process mode. In validation mode, it will return SERVFAIL for bogus data, even when the client does not ask for validation. -- Pieter Lexis PowerDNS.COM BV -- https://www.powerdns.com ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] pdns-recursor 4.0.0~alpha3-1 - no DNSSEC answer?
Hi Leen and Michael, On Fri, 20 May 2016 09:31:31 +0200 Leen Besselinkwrote: > I forgot to mention, when you query a recursor, the recursor can also > indicate that the response is DNSSEC-validated, you need to look at the > AD-bit. For completeness, the recursor follows RFC 6840[1] §5.7 pretty strict (in a DNSSEC mode). This means that a +AD bit in the query will trigger validation in process mode. When the AD bit is not set in the query, the recursor will not answer with the AD bit set, even when the data is validated (in validation mode). The DO bit in the query is interpreted as 'give me DNSSEC records', this means that the recursor will return NSEC(3) and RRSIG records in the response. But if there is no AD bit set, no validation will take place. Best regards, Pieter 1 - https://tools.ietf.org/html/rfc6840 -- Pieter Lexis PowerDNS.COM BV -- https://www.powerdns.com ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] pdns-recursor 4.0.0~alpha3-1 - no DNSSEC answer?
On Fri, May 20, 2016 at 08:10:23AM +0200, Bit World Computing - Michael Mertel wrote: > Hi Leen, > > thanks for clearing this up. My approach was a bit to naive but my recursor > is now returning whats expected. > > The +dnssec Parameter is the essential trick, and depending on dnssec=off or > =process in my recursor.conf the recursor is returning the correct > information. > > Thanks for your feedback. > I forgot to mention, when you query a recursor, the recursor can also indicate that the response is DNSSEC-validated, you need to look at the AD-bit. See the dig output here: https://docs.menandmice.com/display/MM/How+to+test+DNSSEC+validation You will need the ad-bit if you have an application which depends on that, but it can't really be trusted unless it's running on the same machine aka: localhost But it is also an indicator from the recursor that it did the DNSSEC-validation, so it's useful if you want to know what the recursor is doing. > —Michael > > > > Am 19.05.2016 um 17:36 schrieb Leen Besselink: > > > > On Thu, May 19, 2016 at 03:00:12PM +0200, Bit World Computing - Michael > > Mertel wrote: > >> Hi, > >> > > > > Hi, > > > >> I’am currently trying to get a better unterstanding of DNSSEC. But even if > >> I enable dnssec=process in my recursor.conf, I cannot get any DNSSEC > >> related answer from it. What do I’am doing wrong here, I’am somewhat lost? > >> > >> — > >> --- direct query > >> dig @ns1.denic.de ANY www.denic.de > >> ;; ANSWER SECTION: > >> www.denic.de. 3600IN A 81.91.170.12 > >> www.denic.de. 3600IN RRSIG A 8 3 3600 > >> 2016060209 2016051909 26155 denic.de. > >> rPMh+rMzzR2S4ZfPNlRVhhMInQ2NRJnbrVdpcu1pSiao0sNQ0cT0VtbG > >> lt5inSNmhglwvHKVug4zMHlS+LOtXeRDikzZSvL9k3oam/livEQ4MaKO > >> ZOR9PkIC8bf0bUj1Asfn2ifE9t5GmMXq6mFbP5ey38Q8bQn+nSancGwG > >> AIvwtwE0rFUh5dH9o767dE3U+wl0Phx7QgzzT68gix9YosPmSFRJnZGp > >> ICqyiViPDzmiU1WUjmpe9Vx3xHEPVHuS > >> > >> ;; AUTHORITY SECTION: > >> denic.de. 3600IN NS ns2.denic.de. > >> denic.de. 3600IN NS ns3.denic.de. > >> denic.de. 3600IN NS ns1.denic.de. > >> > >> ;; ADDITIONAL SECTION: > >> ns1.denic.de. 3600IN A 81.91.170.1 > >> ns1.denic.de. 3600IN 2a02:568:121:6:2::2 > >> ns2.denic.de. 3600IN A 78.104.145.26 > >> ns3.denic.de. 3600IN A 81.91.173.19 > > > > > > DENIC can return whatever they want with an ANY-query, but that doesn't > > mean it's DNSSEC. > > > >> > >> — > >> — query through dnsdist — > >> dig @192.168.1.5 ANY www.denic.de > >> > >> ;; ANSWER SECTION: > >> www.denic.de. 2083IN A 81.91.170.12 > >> www.denic.de. 2083IN RRSIG A 8 3 3600 > >> 2016060109 2016051809 26155 denic.de. > >> CjMNUtYc5apXRuMLeqH+s8OoOrYyoV5r/CD0xmUNQIhT9DpS80QhB6b2 > >> oMhjxPqAN4leJUbJvMv23mAOMmnqViITN5c6aLWywDBcaN4JKCwBQbD8 > >> n8LxMSC2QxKM7Ypl8bQBBvPTrT9fHauXGlLcQNLWtYPQ8vD7+5XurFJm > >> YCe6ZV3KTwkzHjDJSv4tSPFLfCHuFJSMtXqLewqwNPstqzvu4DXznj6Z > >> RcYURFkGvSJsajzbVbVvDMrFO3tY6Faa > >> > >> — > >> — query through recursor (no forwarders, dnssec=process) — > >> dig -p 5153 @192.168.1.5 ANY www.denic.de > >> > >> ;; ANSWER SECTION: > >> www.denic.de. 2724IN A 81.91.170.12 > >> > >> — > >> > >> Thanks in advance. > >> > > > > This would be the usual way to check DNSSEC. Without: > > > > $ dig @d.ns.nic.cz labs.nic.cz A > > > > ; <<>> DiG 9.8.1-P1 <<>> @d.ns.nic.cz labs.nic.cz A > > ; (2 servers found) > > ;; global options: +cmd > > ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60824 > > ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 6 > > ;; WARNING: recursion requested but not available > > > > ;; QUESTION SECTION: > > ;labs.nic.cz. IN A > > > > ;; ANSWER SECTION: > > labs.nic.cz.1800IN A 217.31.205.52 > > > > ;; AUTHORITY SECTION: > > nic.cz. 1800IN NS a.ns.nic.cz. > > nic.cz. 1800IN NS b.ns.nic.cz. > > nic.cz. 1800IN NS d.ns.nic.cz. > > > > ;; ADDITIONAL SECTION: > > a.ns.nic.cz.1800IN A 194.0.12.1 > > a.ns.nic.cz.1800IN 2001:678:f::1 > > b.ns.nic.cz.1800IN A 194.0.13.1 > > b.ns.nic.cz.1800IN 2001:678:10::1 > > d.ns.nic.cz.1800IN A 193.29.206.1 > > d.ns.nic.cz.1800IN 2001:678:1::1 > > > > With DNSSEC: > > > > $ dig +dnssec @d.ns.nic.cz labs.nic.cz A >
Re: [Pdns-users] pdns-recursor 4.0.0~alpha3-1 - no DNSSEC answer?
Hi Leen, thanks for clearing this up. My approach was a bit to naive but my recursor is now returning whats expected. The +dnssec Parameter is the essential trick, and depending on dnssec=off or =process in my recursor.conf the recursor is returning the correct information. Thanks for your feedback. —Michael > Am 19.05.2016 um 17:36 schrieb Leen Besselink: > > On Thu, May 19, 2016 at 03:00:12PM +0200, Bit World Computing - Michael > Mertel wrote: >> Hi, >> > > Hi, > >> I’am currently trying to get a better unterstanding of DNSSEC. But even if I >> enable dnssec=process in my recursor.conf, I cannot get any DNSSEC related >> answer from it. What do I’am doing wrong here, I’am somewhat lost? >> >> — >> --- direct query >> dig @ns1.denic.de ANY www.denic.de >> ;; ANSWER SECTION: >> www.denic.de.3600IN A 81.91.170.12 >> www.denic.de.3600IN RRSIG A 8 3 3600 >> 2016060209 2016051909 26155 denic.de. >> rPMh+rMzzR2S4ZfPNlRVhhMInQ2NRJnbrVdpcu1pSiao0sNQ0cT0VtbG >> lt5inSNmhglwvHKVug4zMHlS+LOtXeRDikzZSvL9k3oam/livEQ4MaKO >> ZOR9PkIC8bf0bUj1Asfn2ifE9t5GmMXq6mFbP5ey38Q8bQn+nSancGwG >> AIvwtwE0rFUh5dH9o767dE3U+wl0Phx7QgzzT68gix9YosPmSFRJnZGp >> ICqyiViPDzmiU1WUjmpe9Vx3xHEPVHuS >> >> ;; AUTHORITY SECTION: >> denic.de.3600IN NS ns2.denic.de. >> denic.de.3600IN NS ns3.denic.de. >> denic.de.3600IN NS ns1.denic.de. >> >> ;; ADDITIONAL SECTION: >> ns1.denic.de.3600IN A 81.91.170.1 >> ns1.denic.de.3600IN 2a02:568:121:6:2::2 >> ns2.denic.de.3600IN A 78.104.145.26 >> ns3.denic.de.3600IN A 81.91.173.19 > > > DENIC can return whatever they want with an ANY-query, but that doesn't mean > it's DNSSEC. > >> >> — >> — query through dnsdist — >> dig @192.168.1.5 ANY www.denic.de >> >> ;; ANSWER SECTION: >> www.denic.de.2083IN A 81.91.170.12 >> www.denic.de.2083IN RRSIG A 8 3 3600 >> 2016060109 2016051809 26155 denic.de. >> CjMNUtYc5apXRuMLeqH+s8OoOrYyoV5r/CD0xmUNQIhT9DpS80QhB6b2 >> oMhjxPqAN4leJUbJvMv23mAOMmnqViITN5c6aLWywDBcaN4JKCwBQbD8 >> n8LxMSC2QxKM7Ypl8bQBBvPTrT9fHauXGlLcQNLWtYPQ8vD7+5XurFJm >> YCe6ZV3KTwkzHjDJSv4tSPFLfCHuFJSMtXqLewqwNPstqzvu4DXznj6Z >> RcYURFkGvSJsajzbVbVvDMrFO3tY6Faa >> >> — >> — query through recursor (no forwarders, dnssec=process) — >> dig -p 5153 @192.168.1.5 ANY www.denic.de >> >> ;; ANSWER SECTION: >> www.denic.de.2724IN A 81.91.170.12 >> >> — >> >> Thanks in advance. >> > > This would be the usual way to check DNSSEC. Without: > > $ dig @d.ns.nic.cz labs.nic.cz A > > ; <<>> DiG 9.8.1-P1 <<>> @d.ns.nic.cz labs.nic.cz A > ; (2 servers found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60824 > ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 6 > ;; WARNING: recursion requested but not available > > ;; QUESTION SECTION: > ;labs.nic.cz. IN A > > ;; ANSWER SECTION: > labs.nic.cz.1800IN A 217.31.205.52 > > ;; AUTHORITY SECTION: > nic.cz. 1800IN NS a.ns.nic.cz. > nic.cz. 1800IN NS b.ns.nic.cz. > nic.cz. 1800IN NS d.ns.nic.cz. > > ;; ADDITIONAL SECTION: > a.ns.nic.cz.1800IN A 194.0.12.1 > a.ns.nic.cz.1800IN 2001:678:f::1 > b.ns.nic.cz.1800IN A 194.0.13.1 > b.ns.nic.cz.1800IN 2001:678:10::1 > d.ns.nic.cz.1800IN A 193.29.206.1 > d.ns.nic.cz.1800IN 2001:678:1::1 > > With DNSSEC: > > $ dig +dnssec @d.ns.nic.cz labs.nic.cz A > > ; <<>> DiG 9.8.1-P1 <<>> +dnssec @d.ns.nic.cz labs.nic.cz A > ; (2 servers found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54051 > ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 10 > ;; WARNING: recursion requested but not available > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 1232 > ;; QUESTION SECTION: > ;labs.nic.cz. IN A > > ;; ANSWER SECTION: > labs.nic.cz.1800IN A 217.31.205.52 > labs.nic.cz.1800IN RRSIG A 5 3 1800 20160531125753 > 20160518035002 37152 nic.cz. > 0xzEtxkFeiOrdU2dqdKWmltIQEHn28Rv3bZKepOFmr3EUDcQDiGtWoV4 > CRUdrcKAoP9Gjq31qqHjYd7xvKJo54jb9IMI42X6PTHe+Mm/dgyYgoQw > wdMjd+i/oEGF9MH/6BYbviaStGK5ocAsbB49pbvJW1Fh+e8rcTiHt9tt wlU= > > ;; AUTHORITY SECTION: