rbldnsd and DNSSEC compatibility issues - any suggestions?
rob at invaluement.com
Fri Sep 11 12:22:37 UTC 2020
On 9/11/2020 2:46 AM, Mark Andrews wrote:
> validate-except (I typo’d it the second time, unfortunately expect and except are both valid words).
I got so far down the rabbit trail with your other points, somehow I
missed that. Thanks. This should solve my problem!
> If you actually used a zone names with a DNAME
Great suggestion! I didn't know about that.
However, since i use CloudFlare' DNS for my authoritative DNS - which is
critical for prevention of DDOS attacks - and they don't actually
support DNAME, my hands are tied. (or so it SEEMS - see my question
about a possible workaround at the end of this email)
My actual direct query service involves my own rbldnsd servers in 42
cities around the world (all hiding behind secret host names that a
criminal couldn't easily find) - and those are pointed to by NS records
in my CloudFlare DNS, so then the actual direct DNS queries, and the
vast majority of my DNS traffic for direct queries to my own DNSBL, goes
to those 42 servers around the world, NOT to CloudFlare - but CloudFlare
is the starting point - the first query goes to CloudFlare, then the DNS
server doing the asking "knows" for a while to use one of my own
servers, and not bother CloudFlare with any more traffic for a while.
(again, this is for my direct query service - for my smaller subscribers
- my servers can handle THAT traffic)
But since CloudFlare is the authoritative server for invaluement.com,
that is where the DNAME you're suggesting would need to be setup. Since
they don't support that, I'm not able to implement that at this time.
...also, them not supporting it - makes me a little nervous about others
not supporting it. But maybe that fear is unreasonable since it is only
the "revolvers" that need this feature, not authoritative-only services?
This is something that DNS caching servers like BIND, have been
supporting for decades, correct? Please tell don't tell me that _only_ a
very _recent_ version of BIND does this correctly. ;) That would
probably kill this idea!
*POSSIBLE WORKAROUND?:* So assuming that DNAME is widely supported by
many DNS caching servers, old and new... I wonder if I could do
something similar to what I do for my direct query service, using NS
records to delegate this to another BIND DNS server that I would run on
my own server - so for "example.invaluement.com" - I'd create a BIND
instance on my own server hosting "example.invaluement.com" as the
authoritative server for that zone, implementing the DNAME records you
suggested. Then put a NS record on my cloudflare telling the world that
THIS server is the authoritative server for "example.invaluement.com"
(with TTL for some hours). Do you think that would work?
+1 (478) 475-9032
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the bind-users