DNS64 and DNSSEC - AD bit not set (RFC 6147)

Mark Andrews marka at isc.org
Thu Mar 27 04:18:05 UTC 2014 

In message <A316D30A-6933-4EC8-B851-5BFAE1276DC5 at oneshoeco.com>, Tom Lanyon wri
tes:
> Hi list,
> 
> Just wanted to check my understanding of BIND9's implementation of DNS64 agai
> nst RFC 6147.
> 
> Currently BIND9's "break-dnssec" defaults to "no" - in this configuration, a 
> security-aware & validating recursive resolver with will never synthesise a A
> AAA record via DNS64 when queried with DO=1 irregardless of the CD bit.

No.  If the answer is secure and DO=1 then it won't synthesis.

RFC 6147 just gets DO and CD semantics completely wrong.  The WG
wanted there to be signaling that the client was going to validate
and DNSSEC does not have such signaling.  The best DNSSEC can do
is DO=1 indicates that the client might validate.  This is independent
of CD.

A validating stub resolver should send it queries with CD=0 so that
the recursive server can filter out bad responses from upstream.
Only if it gets SERVFAIL should it attempt the query with CD=1 in
case the resolver has bad time or bad trust anchors.

Named doesn't lie when DO=1 *and* it is possible to detect the lie.
"break-dnssec yes;" tells named to lie even when it is possible to
detect the lie.

Stub resolvers don't currently set DO=1 so DNS64 synthesis happens
for them.

> When changing "break-dnssec" to "yes", querying with DO=1 will always trigger
> synthesis of a DNS64 AAAA record, irregardless of the CD bit.
> 
> Both of these configurations seem to conflict with the DNS64 RFC 6147, which 
> specifies that (so long as the upstream negative AAAA and positive A response
> s validate) the recursive resolver can still synthesise the DNS64 AAAA when q
> ueried with DO=1 and CD=0 but must return the answer with the AD bit set.  On
> ly when queried with both DO=1 and CD=1 must it not synthesise the DNS64 AAAA
> .
> 
> Is there any way to configure BIND9 to comply with this RFC 6147 behaviour?  
> We're on 9.8.2, but I couldn't find anything related in the CHANGES for eithe
> r 9.8 or 9.9.
> 
> Thanks,
> Tom
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list