Re: [Pdns-users] DNSSEC, pdns-recursor and libunbound
l...@consolejunkie.net wrote: On 2015-04-24 21:35, Michael Ströder wrote: Michael Ströder wrote: We're currently testing DNSSEC validation with libunbound 1.5.3 with all the RRs retrieved through a pdns-recursor (also tested 3.7.2). It seems that 1. libunbound does not explicitly retrieve the RRSIG RRs and 2. pdns-recursor does not return them when not explicitly request (qtype ANY). (Explicitly requesting RRSIG works.) = validation in libunbound fails Did further testing with python-unbound (thin wrapper module on top of libunbound) with simple script almost equal to this: http://www.unbound.net/documentation/pyunbound/examples/example4.html Looking at PCAP dumps with Wireshark the requests sent by libunbound contain the D0 bit: 1... = DO bit: Accepts DNSSEC security RRs It seems to me that unbound and Google's 8.8.8.8 therefore return RRSIG RRs while pdns-recursor does not. I have to admit that looking at [1] rather confuses me. ;-) Sniffing the out-going requests sent by pdns-recursor the D0 bit is missing. Obviously the DNS servers then do not respond with RRSIG RRs. Ciao, Michael. [1] http://tools.ietf.org/html/rfc4035#section-3.2.1 It's to bad nobody replied to you yet. Given my last posting was late in the evening your response is pretty quick. :-) Let me tell how it is: The DO-bit in the request to the recursor means: please include DNSSEC information. Yes. Then if the recursor you are requesting it from does validation and it fails it will return an error similar to domain not found. Actually I'm using python-unbound (mainly libunbound) for the validation but would like to use the existing pdns-recursor for simply retrieving the RRs. But since the D0 bit is not forwarded it does not get the RRSIG RRs back and returns the result with validation status bogus. http://blog.powerdns.com/2013/09/16/dnssec-validation-for-the-recursor/ If I understand correctly the PowerDNS developers have put in some of the time to add DNSSEC to their recursor but it isn't done yet. Already saw this blog article before. I'm looking forward to pdns-recursor 4.x because I like its logging more than that of other recursors. In the past I've requested from the PowerDNS developers, would it be possible to at least include the DNSSEC-information so Unbound do the validation. I told them you can leave the validation out of PowerDNS-recursor, I care less about that. The answer I got was: The validation is in comparison the easy part, changing the recursor to return the DNSSEC-information is more work. Hmm, but if explicitly requested in the query pdns-recursor does actually retrieve the RRSIG RRs. Wouldn't it be possible to also send the D0 bit in the out-going query if the incoming query had it set? Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] DNSSEC, pdns-recursor and libunbound
HI! We're currently testing DNSSEC validation with libunbound 1.5.3 with all the RRs retrieved through a pdns-recursor (also tested 3.7.2). It seems that 1. libunbound does not explicitly retrieve the RRSIG RRs and 2. pdns-recursor does not return them when not explicitly request (qtype ANY). (Explicitly requesting RRSIG works.) = validation in libunbound fails Did anybody else try such a setup before? Did it work? Most people doing DNSSEC validation simply use bind9 or unbound for recursing and as validating resolver but for now that's likely not an option in this infrastructure. Any hint is appreciated. Thanks in advance. Ciao, Michael. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] DNSSEC, pdns-recursor and libunbound
On 2015-04-24 21:35, Michael Ströder wrote: Michael Ströder wrote: We're currently testing DNSSEC validation with libunbound 1.5.3 with all the RRs retrieved through a pdns-recursor (also tested 3.7.2). It seems that 1. libunbound does not explicitly retrieve the RRSIG RRs and 2. pdns-recursor does not return them when not explicitly request (qtype ANY). (Explicitly requesting RRSIG works.) = validation in libunbound fails Did further testing with python-unbound (thin wrapper module on top of libunbound) with simple script almost equal to this: http://www.unbound.net/documentation/pyunbound/examples/example4.html Looking at PCAP dumps with Wireshark the requests sent by libunbound contain the D0 bit: 1... = DO bit: Accepts DNSSEC security RRs It seems to me that unbound and Google's 8.8.8.8 therefore return RRSIG RRs while pdns-recursor does not. I have to admit that looking at [1] rather confuses me. ;-) Sniffing the out-going requests sent by pdns-recursor the D0 bit is missing. Obviously the DNS servers then do not respond with RRSIG RRs. Ciao, Michael. [1] http://tools.ietf.org/html/rfc4035#section-3.2.1 Hi Michael, It's to bad nobody replied to you yet. Let me tell how it is: The DO-bit in the request to the recursor means: please include DNSSEC information. Then if the recursor you are requesting it from does validation and it fails it will return an error similar to domain not found. If it doesn't do any DNSSEC validation it will just return the reply it got from an authoritative server. If the domain has DNSSEC-information and the recursor does validation and it was correct it will set the AD-bit in the response. So a non-validating recursor will never set the AD-bit. Now let's take your set up with Unbound-recursor forwarding to the PDNS-recursor. A recursor like Unbound when it does validation it needs the DNSSEC-information, so it will request it from the PDNS-recursor it forwards the requests to (D0-bit set). PDNS-recursor doesn't yet support DNSSEC, so it will reply without including any DNSSEC-information. Thus Unbound can't do any validation and it will thus fail all requests. Thus from Unbound you'll end up with answers: domain not found. The PowerDNS developers did want to put time in it, they've talked about it a couple of times, for example this blog post: http://blog.powerdns.com/2013/09/16/dnssec-validation-for-the-recursor/ If I understand correctly the PowerDNS developers have put in some of the time to add DNSSEC to their recursor but it isn't done yet. In the past I've requested from the PowerDNS developers, would it be possible to at least include the DNSSEC-information so Unbound do the validation. I told them you can leave the validation out of PowerDNS-recursor, I care less about that. The answer I got was: The validation is in comparison the easy part, changing the recursor to return the DNSSEC-information is more work. So now you know. Have a good weekend, Leen. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] DNSSEC, pdns-recursor and libunbound
Michael Ströder wrote: We're currently testing DNSSEC validation with libunbound 1.5.3 with all the RRs retrieved through a pdns-recursor (also tested 3.7.2). It seems that 1. libunbound does not explicitly retrieve the RRSIG RRs and 2. pdns-recursor does not return them when not explicitly request (qtype ANY). (Explicitly requesting RRSIG works.) = validation in libunbound fails Did further testing with python-unbound (thin wrapper module on top of libunbound) with simple script almost equal to this: http://www.unbound.net/documentation/pyunbound/examples/example4.html Looking at PCAP dumps with Wireshark the requests sent by libunbound contain the D0 bit: 1... = DO bit: Accepts DNSSEC security RRs It seems to me that unbound and Google's 8.8.8.8 therefore return RRSIG RRs while pdns-recursor does not. I have to admit that looking at [1] rather confuses me. ;-) Sniffing the out-going requests sent by pdns-recursor the D0 bit is missing. Obviously the DNS servers then do not respond with RRSIG RRs. Ciao, Michael. [1] http://tools.ietf.org/html/rfc4035#section-3.2.1 smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] DNSSEC, pdns-recursor and libunbound
On Fri, Apr 24, 2015 at 11:07:46PM +0200, l...@consolejunkie.net wrote: The answer I got was: The validation is in comparison the easy part, changing the recursor to return the DNSSEC-information is more work. We're on it people! http://blog.powerdns.com/2015/02/23/powerdns-development-plans-4-x-dnssec-c-2011/ One reason it has been taking longer is that the large scale users are worried about DNS in general, and have not had an appetite to add DNSSEC to their worries. In part, our work on dnsdist and DoS prevention had to happen before we can expect enthusiasm about validation on large scale. But this year for real. Watch this space. Bert So now you know. Have a good weekend, Leen. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users