rbldnsd and DNSSEC compatibility issues - any suggestions?

Thu Sep 10 18:35:11 UTC 2020

On Thu, 2020-09-10 at 13:50 -0400, Jim Popovitch via bind-users wrote:
> On Thu, 2020-09-10 at 11:56 -0400, Rob McEwen wrote:
> > I manage an anti-spam DNSBL and I've been running into an issue in recent years - that I'm FINALLY getting around to asking about. I just joined this list to ask this question. Also, I checked the archives, but couldn't find an answer - at least, not one I understood.
> > So basically, while most of our users do direct queries and don't have this issue - some of our larger subscribers RSYNC the rbldsnd-formatted files, and then they typically run rbldnsd on the same server as their BIND server that is answering their DNSBL queries. Then, their invaluement zone names will all end with "invaluement.local". Typically, their RBLDNSD server is set up to listen on 127.0.0.2 - and then they use BIND for answering their DNSBL queries, and so they tell BIND to get its answers for THOSE invaluement dnsbl queries by doing a DNS forwarder, telling bind to get the answers for THOSE zones from 127.0.0.2 - as shown below:
> > zone "invaluement.local" in {
> >   type forward;
> >   forward only;
> >   forwarders { 127.0.0.2; };
> > };
> > 
> > This works perfectly - so long as DNSSEC is turned off. And since most of our subscribers are running a dedicated instance of BIND that is ONLY used for DNSBL queries, they don't mind turning DNSSEC off.
> > But, occasionally, we have a customer who cannot turn DNSSEC off. So I was hoping that THIS command would work:
> > dnssec-must-be-secure "invaluement.local" no;
> > But it doesn't seem to be helping at all. Is that command suppose to disable DNSSEC checking for a particular zone? If yes, what did I do wrong? If not, what does "dnssec-must-be-secure" set to "no" do?
> > I've heard that there is NOT a way to get this to work - and that such subscribers much use DNS Delegation, instead. But I really wish this could be done by simply turning off DNSSEC for a particular zone. That could be useful for MANY various types of internal zones that need this. But if this is that case, how would that DNS Delegation look, to get the above forwarding example to work using delegation instead?
> > Thanks in advance for your help!
> 
> Just a thought, but ARM says:
> 
> dnssec-must-be-secure
>    Specify hierarchies which must be or may not be secure (signed and validated). If yes,
>    then named will only accept answers if they are secure. If no, then normal DNSSEC
>    validation applies allowing for insecure answers to be accepted. The specified domain
>    must be defined as a trust anchor, for instance in a trust-anchors statement, or dnssec-
>    validation auto must be active.
> 
> 
> You might want to try adding "dnssec-validation auto" to the zone stanza.
> 
> zone "invaluement.local" in {
>    type forward;
>    forward only;
>    forwarders { 127.0.0.2; };
>    dnssec-validation auto;
> };

In retrospect that won't work.  dnssec-validation can only be used in
options or views.  Maybe try using a view?

-Jim P.