RPZ breaks DNSSEC signed langing page redirect

Daniel Stirnimann daniel.stirnimann at switch.ch
Thu Dec 29 12:39:15 UTC 2016

> Our DNS resolvers are not only used by stub resolvers but by DNS
> resolvers using DNS forwarding as well. I wonder what happens if DNS
> forwarding resolvers do DNSSEC validation? It looks like they would
> return SERVFAIL to the user as the RPZ response omits any RRSIG for the
> landing page.

I tested this out. BIND returns SERVFAIL to the stub resolver.

I also checked out PowerDNS Recursor 4 with RPZ. PowerDNS Recursor 4
returns just the CNAME to the landing page. No A/AAAA record. Thus, the
forwarding DNS resolver needs to do an additional lookup of the CNAME
hostname which succeeds with RRSIGs returned. So, PowerDNS does not
break a DNSSEC signed landing page hostname.

I also tested out knot resolver 1.1.1. knot resolver does currently not
support CNAME response in RPZ. One has to provide an A/AAAA record if
redirection to a landing page is wanted. So, Knot resolver does not
suffer from this problem as well.

My conclusion is that one should not DNSSEC sign the landing page if you
utilize DNS RPZ with BIND.


More information about the bind-users mailing list