rbldnsd and DNSSEC compatibility issues - any suggestions?

Rob McEwen rob at invaluement.com
Fri Sep 11 12:22:37 UTC 2020

On 9/11/2020 2:46 AM, Mark Andrews wrote:
> validate-except (I typo’d it the second time, unfortunately expect and except are both valid words).

I got so far down the rabbit trail with your other points, somehow I 
missed that. Thanks. This should solve my problem!

> If you actually used a zone names with a DNAME

Great suggestion! I didn't know about that.

However, since i use CloudFlare' DNS for my authoritative DNS - which is 
critical for prevention of DDOS attacks - and they don't actually 
support DNAME, my hands are tied. (or so it SEEMS - see my question 
about a possible workaround at the end of this email)

My actual direct query service involves my own rbldnsd servers in 42 
cities around the world (all hiding behind secret host names that a 
criminal couldn't easily find) - and those are pointed to by NS records 
in my CloudFlare DNS, so then the actual direct DNS queries, and the 
vast majority of my DNS traffic for direct queries to my own DNSBL, goes 
to those 42 servers around the world, NOT to CloudFlare - but CloudFlare 
is the starting point - the first query goes to CloudFlare, then the DNS 
server doing the asking "knows" for a while to use one of my own 
servers, and not bother CloudFlare with any more traffic for a while. 
(again, this is for my direct query service - for my smaller subscribers 
- my servers can handle THAT traffic)

But since CloudFlare is the authoritative server for invaluement.com, 
that is where the DNAME you're suggesting would need to be setup. Since 
they don't support that, I'm not able to implement that at this time.

SEE: https://community.cloudflare.com/t/dname-records-on-cloudflare/16642/4

...also, them not supporting it - makes me a little nervous about others 
not supporting it. But maybe that fear is unreasonable since it is only 
the "revolvers" that need this feature, not authoritative-only services? 
This is something that DNS caching servers like BIND, have been 
supporting for decades, correct? Please tell don't tell me that _only_ a 
very _recent_ version of BIND does this correctly. ;) That would 
probably kill this idea!

*POSSIBLE WORKAROUND?:* So assuming that DNAME is widely supported by 
many DNS caching servers, old and new... I wonder if I could do 
something similar to what I do for my direct query service, using NS 
records to delegate this to another BIND DNS server that I would run on 
my own server - so for "example.invaluement.com" - I'd create a BIND 
instance on my own server hosting "example.invaluement.com" as the 
authoritative server for that zone, implementing the DNAME records you 
suggested. Then put a NS record on my cloudflare telling the world that 
THIS server is the authoritative server for "example.invaluement.com" 
(with TTL for some hours). Do you think that would work?

Rob McEwen
+1 (478) 475-9032

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200911/d258c992/attachment.htm>

More information about the bind-users mailing list