RPZ breaks DNSSEC signed langing page redirect

Daniel Stirnimann daniel.stirnimann at switch.ch
Fri Dec 23 10:33:22 UTC 2016

Hi all,

We use RPZ to block malicious domain names. Specifically, we redirect to
a landing page. Our landing page (landingpage.ph.rpz.switch.ch) is
DNSSEC signed. However, if I get a RPZ response from our validating dns
resolver it omits any RRSIG. Example:

dig @<resolver> www.oyubaimai[.]top +dnssec

; <<>> DiG 9.11.0rc1 <<>> @<resolver> www.oyubaimai[.]top +dnssec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52312
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 5

; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 4442932ac258891044299f27585cf4bf66cb7f09a55cc096 (good)
;www.oyubaimai[.]top.		IN	A

www.oyubaimai[.]top.	5	IN	CNAME	landingpage.ph.rpz.switch.ch.
landingpage.ph.rpz.switch.ch. 86400 IN	A

switch.ch.		3463	IN	NS	nsa-p.dnsnode.net.
switch.ch.		3463	IN	NS	ns2.switch.ch.
switch.ch.		3463	IN	NS	scsnms.switch.ch.

ns2.switch.ch.		3463	IN	AAAA	2001:620:0:ff::2f
scsnms.switch.ch.	3463	IN	AAAA	2001:620:0:ff::a7
ns2.switch.ch.		3463	IN	A
scsnms.switch.ch.	3463	IN	A

Note, our BIND RPZ configuration does not use "break-dnssec yes" (it
does not matter in this case). www.oyubaimai[.]top is not DNSSEC signed.
landingpage.ph.rpz.switch.ch is DNSSEC signed.

Our DNS resolvers are not only used by stub resolvers but by DNS
resolvers using DNS forwarding as well. I wonder what happens if DNS
forwarding resolvers do DNSSEC validation? It looks like they would
return SERVFAIL to the user as the RPZ response omits any RRSIG for the
landing page.

Is this a BIND bug or a side effect of RPZ? As a work around, I could
leave rpz.switch.ch unsigned to work around this problem.


More information about the bind-users mailing list