Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Forcing DNSSEC queries

43 views
Skip to first unread message

russell aspinwall

unread,
Nov 15, 2012, 5:30:20 PM11/15/12
to bind-...@lists.isc.org
Hi,

I have using Bind for a while and last night upgraded to Bind 9.9.2 on
my OpenIndiana 151a7. I would like to be able to control my DNS queries
on Unix/Linux hosts, so that by default the client queries would only
be DNSSEC authenticated/validated. However, as DNSSEC is not completely
deployed I would need to have some control over the DNSSEC query
operation. From my research the libresolv library used is taken from a
library created by ISC.

Could libresolv be modified so that it would permit the following
directives in /etc/resolv.conf.

dnssec enable - perform only DNSSEC queries (default mode
of operation if no directive supplied)

dnssec disable - disable DNSSEC queries

dnssec warn - warn about DNSSEC queries which are not
authenticated

dnssec ignore - ignore DNSSEC queries which are not
authenticated

dnssec trust <zone> | <zone1> .... <zoneN> - trust non DNSSEC signed
(non public) internal zones only



--
Russell Aspinwall russell.aspinwall at bcs.org.uk

"Great minds discuss ideas;
Average minds discuss events;
Small minds discuss people
Former First Lady Eleanor Roosevelt (1884-1962)"

Carsten Strotmann

unread,
Nov 16, 2012, 4:01:51 AM11/16/12
to russell....@bcs.org.uk, bind-...@lists.isc.org

Hello Russell,

russell aspinwall <raspi...@willows7.myzen.co.uk> writes:
>
> Could libresolv be modified so that it would permit the following
> directives in /etc/resolv.conf.
>
> dnssec enable - perform only DNSSEC queries (default
> mode of operation if no directive supplied)
>
> dnssec disable - disable DNSSEC queries
>
> dnssec warn - warn about DNSSEC queries which are
> not authenticated
>
> dnssec ignore - ignore DNSSEC queries which are not
> authenticated
>
> dnssec trust <zone> | <zone1> .... <zoneN> - trust non DNSSEC
> signed (non public) internal zones only

the OS stub resolver (libc) does not perform DNSSEC validation. Without
DNSSEC validation, it does not make much sense to send DNSSEC (DO flag)
queries. You could install BIND as a DNSSEC validating resolver on your
clients, then you have a DNSSEC validation on the client.

If you enable DNSSEC validation on the local smart resolver (the BIND
caching DNS in your network), this DNSSEC validation enabled smart
resolver will query for DNSSEC information and will validate the DNSSEC
information if there is a "chain of trust" towards a trust
anchor. Should the DNSSEC validation fails, all clients will be
protected, because the caching smart resolver will return only
"SERVFAIL" to the clients, but not the (possibly spoofed) DNS data.

I have seen special patched Linux resolver code that implements DNSSEC
validation in the OS smart resolver, but I'm not sure if someone has
ported that to OpenIndiana/Solaris.

See also <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=679828>
for a similar discussion.

This project might implement what you are looking for (I haven't tested
it) <https://github.com/edmonds/nss-ubdns>

The only OS to my knowledge that can be configured to ignore non
authenticated replies (AD flag missing) from a local smart resolver is
Windows 7/8. That requires an IPSec tunnel to be build between the
client and the smart resolver (done automatically in Ad environments
with this configuration) to create a trusted path between the client and
the smart resolver. Also the clients are provisioned (via GPO) with a
list of DNSSEC signed domains that must always validate.

-- Carsten
0 new messages