Forwarded lookup failing on no valid RRSIG

[Nicolas Bock]

On Sun, Dec 20 2020, Mark Andrews wrote:

>> On 21 Dec 2020, at 06:04, Matthew Pounsett <matt at conundrum.com> wrote:
>> 
>> 
>> 
>> On Fri, 18 Dec 2020 at 18:08, Nicolas Bock <nicolas.bock at canonical.com> wrote:
>> Thanks Mark. Am I correct then that I need to either convince the administrator of that DNS to enable DNSSEC or configure my DNS with `dnssec-validation = no`?
>> 
>> The upstream administrator isn't required to be validating DNSSEC for this to work, but in order for your DNS server to do DNSSEC validation, their DNS server must be DNSSEC aware enough to be requesting DNSSEC data when it queries the authoritative DNS servers.  Of course, the resilience of the whole thing would also be improved by that server also validating.
>
> Matthew, there is a difference between sometimes getting answers out of a forwarder that isn’t validating that validate and a system that is working.  If the forwarder is not validating then the system cannot recover from situations that a iterative validating resolver can recover from.

Thanks Matthew and Mark for the details. I will have a chat
with the upstream administrator and see whether I can
convince them to enable full DNSSEC on their end. At least
at this point I have a better grasp of what and why I am
seeing those messages.

Thanks!

Nick

> It is bad advice to deploy validating clients behind forwarders that are not validating.
>
>> If they can't or won't update their server, then yes, you'll either have to disable validation yourself, or select a better upstream.  Personally I'd go looking for a better upstream (or just stop using a forwarder entirely, and do your own direct recursion, if that's possible in your environment).