rbldnsd and DNSSEC compatibility issues - any suggestions?

Mark Andrews marka at isc.org
Fri Sep 11 23:28:33 UTC 2020

> On 11 Sep 2020, at 22:22, Rob McEwen <rob at invaluement.com> wrote:
> On 9/11/2020 2:46 AM, Mark Andrews wrote:
>> validate-except (I typo’d it the second time, unfortunately expect and except are both valid words).
> I got so far down the rabbit trail with your other points, somehow I missed that. Thanks. This should solve my problem!
>> If you actually used a zone names with a DNAME
> Great suggestion! I didn't know about that.
> However, since i use CloudFlare' DNS for my authoritative DNS - which is critical for prevention of DDOS attacks - and they don't actually support DNAME, my hands are tied. (or so it SEEMS - see my question about a possible workaround at the end of this email)

Cloudflare don’t want to deal with the extra database lookup to see if there is a DNAME and the CNAME synthesis.  By rejecting zones with DNAMEs they can get away with this stance.
> My actual direct query service involves my own rbldnsd servers in 42 cities around the world (all hiding behind secret host names that a criminal couldn't easily find) - and those are pointed to by NS records in my CloudFlare DNS, so then the actual direct DNS queries, and the vast majority of my DNS traffic for direct queries to my own DNSBL, goes to those 42 servers around the world, NOT to CloudFlare - but CloudFlare is the starting point - the first query goes to CloudFlare, then the DNS server doing the asking "knows" for a while to use one of my own servers, and not bother CloudFlare with any more traffic for a while. (again, this is for my direct query service - for my smaller subscribers - my servers can handle THAT traffic)
> But since CloudFlare is the authoritative server for invaluement.com, that is where the DNAME you're suggesting would need to be setup. Since they don't support that, I'm not able to implement that at this time. 
> SEE: https://community.cloudflare.com/t/dname-records-on-cloudflare/16642/4
> ...also, them not supporting it - makes me a little nervous about others not supporting it. But maybe that fear is unreasonable since it is only the "revolvers" that need this feature, not authoritative-only services? This is something that DNS caching servers like BIND, have been supporting for decades, correct?

DNAME is 2 decades old (August 1999).  It came in between DNSSEC version 2 (RFC 2535, KEY/SIG/NXT) and DNSSEC version 3 (RFC 4033/4034/4035, DNSKEY/RRSIG/NSEC/DS).  DNSSEC version 3 requires validators to support DNAME.  All versions of BIND 9 have supported DNAME.  I can’t remember if we added DNAME support to BIND 8 or not.  DNSSEC version 4 added NSEC3 and is backwards compatible with DNSSEC version 3.  DNSSEC version 4 is what almost all validators support today.

> Please tell don't tell me that only a very recent version of BIND does this correctly. ;) That would probably kill this idea!
> POSSIBLE WORKAROUND?: So assuming that DNAME is widely supported by many DNS caching servers, old and new... I wonder if I could do something similar to what I do for my direct query service, using NS records to delegate this to another BIND DNS server that I would run on my own server - so for "example.invaluement.com" - I'd create a BIND instance on my own server hosting "example.invaluement.com" as the authoritative server for that zone, implementing the DNAME records you suggested. Then put a NS record on my cloudflare telling the world that THIS server is the authoritative server for "example.invaluement.com" (with TTL for some hours). Do you think that would work?

Delegating to authoritative servers that support DNAME will work.

> -- 
> Rob McEwen
> https://www.invaluement.com
> +1 (478) 475-9032

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the bind-users mailing list