Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
RPZ breaks DNSSEC signed langing page redirect
228 views
Skip to first unread message
Daniel Stirnimann
Dec 23, 2016, 5:33:36 AM12/23/16
to Bind Users
Hi all,
We use RPZ to block malicious domain names. Specifically, we redirect to
a landing page. Our landing page (landingpage.ph.rpz.switch.ch) is
DNSSEC signed. However, if I get a RPZ response from our validating dns
resolver it omits any RRSIG. Example:
dig @<resolver> www.oyubaimai[.]top +dnssec
; <<>> DiG 9.11.0rc1 <<>> @<resolver> www.oyubaimai[.]top +dnssec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52312
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 4442932ac258891044299f27585cf4bf66cb7f09a55cc096 (good)
;; QUESTION SECTION:
;www.oyubaimai[.]top. IN A
;; ANSWER SECTION:
www.oyubaimai[.]top. 5 IN CNAME landingpage.ph.rpz.switch.ch.
landingpage.ph.rpz.switch.ch. 86400 IN A 130.59.118.29
;; AUTHORITY SECTION:
switch.ch. 3463 IN NS nsa-p.dnsnode.net.
switch.ch. 3463 IN NS ns2.switch.ch.
switch.ch. 3463 IN NS scsnms.switch.ch.
;; ADDITIONAL SECTION:
ns2.switch.ch. 3463 IN AAAA 2001:620:0:ff::2f
scsnms.switch.ch. 3463 IN AAAA 2001:620:0:ff::a7
ns2.switch.ch. 3463 IN A 130.59.31.29
scsnms.switch.ch. 3463 IN A 130.59.31.26
Note, our BIND RPZ configuration does not use "break-dnssec yes" (it
does not matter in this case). www.oyubaimai[.]top is not DNSSEC signed.
landingpage.ph.rpz.switch.ch is DNSSEC signed.
Our DNS resolvers are not only used by stub resolvers but by DNS
resolvers using DNS forwarding as well. I wonder what happens if DNS
forwarding resolvers do DNSSEC validation? It looks like they would
return SERVFAIL to the user as the RPZ response omits any RRSIG for the
landing page.
Is this a BIND bug or a side effect of RPZ? As a work around, I could
leave rpz.switch.ch unsigned to work around this problem.
Daniel
We use RPZ to block malicious domain names. Specifically, we redirect to
a landing page. Our landing page (landingpage.ph.rpz.switch.ch) is
DNSSEC signed. However, if I get a RPZ response from our validating dns
resolver it omits any RRSIG. Example:
dig @<resolver> www.oyubaimai[.]top +dnssec
; <<>> DiG 9.11.0rc1 <<>> @<resolver> www.oyubaimai[.]top +dnssec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52312
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 4442932ac258891044299f27585cf4bf66cb7f09a55cc096 (good)
;; QUESTION SECTION:
;www.oyubaimai[.]top. IN A
;; ANSWER SECTION:
www.oyubaimai[.]top. 5 IN CNAME landingpage.ph.rpz.switch.ch.
landingpage.ph.rpz.switch.ch. 86400 IN A 130.59.118.29
;; AUTHORITY SECTION:
switch.ch. 3463 IN NS nsa-p.dnsnode.net.
switch.ch. 3463 IN NS ns2.switch.ch.
switch.ch. 3463 IN NS scsnms.switch.ch.
;; ADDITIONAL SECTION:
ns2.switch.ch. 3463 IN AAAA 2001:620:0:ff::2f
scsnms.switch.ch. 3463 IN AAAA 2001:620:0:ff::a7
ns2.switch.ch. 3463 IN A 130.59.31.29
scsnms.switch.ch. 3463 IN A 130.59.31.26
Note, our BIND RPZ configuration does not use "break-dnssec yes" (it
does not matter in this case). www.oyubaimai[.]top is not DNSSEC signed.
landingpage.ph.rpz.switch.ch is DNSSEC signed.
Our DNS resolvers are not only used by stub resolvers but by DNS
resolvers using DNS forwarding as well. I wonder what happens if DNS
forwarding resolvers do DNSSEC validation? It looks like they would
return SERVFAIL to the user as the RPZ response omits any RRSIG for the
landing page.
Is this a BIND bug or a side effect of RPZ? As a work around, I could
leave rpz.switch.ch unsigned to work around this problem.
Daniel
Daniel Stirnimann
Dec 29, 2016, 7:39:45 AM12/29/16
to Bind Users
> Our DNS resolvers are not only used by stub resolvers but by DNS
> resolvers using DNS forwarding as well. I wonder what happens if DNS
> forwarding resolvers do DNSSEC validation? It looks like they would
> return SERVFAIL to the user as the RPZ response omits any RRSIG for the
> landing page.
I also checked out PowerDNS Recursor 4 with RPZ. PowerDNS Recursor 4
returns just the CNAME to the landing page. No A/AAAA record. Thus, the
forwarding DNS resolver needs to do an additional lookup of the CNAME
hostname which succeeds with RRSIGs returned. So, PowerDNS does not
break a DNSSEC signed landing page hostname.
I also tested out knot resolver 1.1.1. knot resolver does currently not
support CNAME response in RPZ. One has to provide an A/AAAA record if
redirection to a landing page is wanted. So, Knot resolver does not
suffer from this problem as well.
My conclusion is that one should not DNSSEC sign the landing page if you
utilize DNS RPZ with BIND.
Daniel
0 new messages