[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bind-users
Subject:    Re: Value of a DNSSEC validating resolver
From:       Mark Andrews <marka () isc ! org>
Date:       2024-02-12 6:00:49
Message-ID: BDEAA0FD-1314-4B31-9D95-FB8F0E833156 () isc ! org
[Download RAW message or body]



> On 9 Feb 2024, at 21:40, Petr Menšík <pemensik@redhat.com> wrote:
> 
> Hello Mark,
> 
> allow me here to correct your statement. We spent in Red Hat some time thinking and \
> testing validating clients. Validating resolver is *not* necessary for validating \
> clients to work. They are better and recommended, but not always necessary. 
> What is required is dnssec (security) awareness. Meaning that resolver will fetch \
> signatures for all queries with do=1 bit set. For example even dnsmasq in default \
> configuration will forward DNSSEC signatures to all DNSSEC enabled queries. Also in \
> cases dnssec validation is not enabled in it. It is not strictly required fetching \
> them for do=0 queries. 
> For example our office resolvers do not have validation enabled. But they allow any \
> clients using dnssec-trigger to validate all queries themselves. And that works for \
> majority of existing DNS caches. 
> What is required from bind9 is to have dnssec-enabled yes; That was default even in \
> 9.11 and this is the last version, where it is possible to change it to \
> dnssec-enabled no; Since 9.16 it is not possible to configure it that way. In this \
> case any validating client, be it end station or dns forwarder, will fail all \
> queries sent to it. Clients can validate regardless dnssec-validation value is \
> used, but they need do=1 answers to their do=1 queries. 
> Following chain of forwarders will still deliver non-bogus answers only. fwd means \
> forwarder only, not using root hints. 
> [root-servers]---[non-validating iterative]----[non-validating fwd]---[validating \
> fwd]--->(secure or unsigned answers only) 
> Validating client can refuse answer to dnssec-failed.org, even if the recursive \
> forwarder it is using did not check its validity. If it sends you do=1 enabled \
> answers, that is enough. You have to compute your own SERVFAIL result, which \
> validating upstream forwarder could have sent you straight away. That that is the \
> beauty of DNSSEC. Not everyone in the chain needs to be doing crypto operations. \
> But everyone in the chain can, as long as crypto records are included. 
> delv +vtrace or unbound-host -rvD commands work even on non-validating, but \
> security aware resolvers. 
> And to answer original question. You store in cache only valuable records, not \
> bogus garbage. Having cache filled also with signatures makes validation of your \
> clients much faster, just RTT between you is used, even when they validate.

Your diagram has a "non-validating iterative".  How does that machine meet the \
requirement of "You store in cache only valuable records, not bogus garbage." if it \
does not validate?  Sure this chain will appear to work until it doesn't.  All it \
requires is 1 "bad answer" to be learnt by that first server and responses that \
should succeed, won't.

If you change the chain to

[auth-servers]---[validating iterative]----[non-validating fwd]---[validating \
fwd]--->(secure or unsigned answers only)

and have secure paths to the right of the "validating iterative" things will work.  \
The "validating iterative" server is supposed to discard bogus responses which allows \
it to filter out the garbage.  If you then say always set "CD=1" the validating \
intermediaries stop preforming that role which is why I objected to that being \
specified.

Setup 3 auth servers with signature that have a validity interval of 2 weeks, one of \
which has up to date signatures and 2 that have out of date signatures.  This is the \
sort of thing that happens out there by accident, e.g. unnoticed zone transfers \
failing and the zone has not yet expired.  Try looking up multiple answers from that \
zone with your configuration and then with mine.  

> Regards,
> Petr
> 
> On 12/1/23 22:40, Mark Andrews wrote:
> > A validating resolver is a prerequisite for validating clients to work. Clients \
> > don't have direct access to the authoritative servers so the can't retrieve good \
> > answers if the recursive servers don't filter out the bad answers. 
> > Think of a recursive server as a town water treatment plant. You could filter and \
> > treat at every house and sometimes you still do like boiling water for baby \
> > formula but on the most part what you get out of it is good enough for \
> > consumption as is. 
> > -- 
> > Mark Andrews
> > 
> > > On 2 Dec 2023, at 08:14, John Thurston <john.thurston@alaska.gov> wrote:
> > > 
> > > 
> > > 
> > > At first glance, the concept of a validating resolver seemed like a good idea. \
> > > But in practice, it is turning out to be a hassle. 
> > > I'm starting to think, "If my clients want their answers validated, they should \
> > > do it." If they *really* care about the quality of the answers they get, why \
> > > should my clients be trusting *me* to validate them? 
> > > Can someone make a good case to me for continuing to perform DNSSEC validation \
> > > on my central resolvers? 
> > > -- 
> > > --
> > > Do things because you should, not just because you can.
> > > 
> > > John Thurston    907-465-8591
> > > John.Thurston@alaska.gov
> > > Department of Administration
> > > State of Alaska
> 
> -- 
> Petr Menšík
> Software Engineer, RHEL
> Red Hat, https://www.redhat.com/
> PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
> 
> <OpenPGP_0x4931CA5B6C9FC5CB.asc>-- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this \
> list 
> ISC funds the development of this software with paid support subscriptions. Contact \
> us at https://www.isc.org/contact/ for more information. 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users


-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact \
us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic