Force Bind caching resolver to always obey DNSSSEC

lst_hoe02 at kwsoft.de lst_hoe02 at kwsoft.de
Sat Oct 2 09:01:37 UTC 2010


Zitat von Barry Margolin <barmar at alum.mit.edu>:

> In article <mailman.265.1285967251.555.bind-users at lists.isc.org>,
>  lst_hoe02 at kwsoft.de wrote:
>
>> Zitat von Alan Clegg <aclegg at isc.org>:
>>
>> > On 10/1/2010 4:50 PM, lst_hoe02 at kwsoft.de wrote:
>> >
>> >> Sorry for being unclear. We want the SERVFAIL as it should be for
>> >> invalid DNSSEC data *in all cases* eg. even if a client ask with the
>> >> cdflag (checking disable) set.
>> >
>> > CD means "don't check", so you can't by definition.
>> >
>> > AlanC
>> >
>>
>> That i was afraid of. It's a pitty that there is no way to save the
>> downstream clients from stupid resolvers/downstream caches.
>
> Since CD is not set by default, a "stupid resolver" that doesn't know
> about DNSSEC won't set it.  Someone has to go out of their way to
> request this behavior.

I have detected this because we have a internal Bind 9.4 act as  
caching resolver forwarding to our border Bind 9.7 which is also a  
caching resolver and has DNSSEC enabled. If the internal Bind 9.4 is  
not explicitely configured to use DNSSEC (dnssec-enable yes; dnssec  
validation yes;) it will set CD and therefore by default makes the  
DNSSEC on the border useless.
So the problem are not resolvers unaware of DNSSEC but resolvers with  
inappropriate defaults or configured wrong by accident. Additionally  
this problem is not easy detectable as it can occur far downstream. So  
i would say it is a valid concern for network operators to make it  
possibe to force obeying DNSSEC at the border.

Regards

Andreas





More information about the bind-users mailing list