[prev in list] [next in list] [prev in thread] [next in thread]
List: pdns-users
Subject: Re: [Pdns-users] Recursor: Response looses AD flag if Lua script hook returns true
From: Pieter Lexis via Pdns-users <pdns-users () mailman ! powerdns ! com>
Date: 2020-03-30 9:05:33
Message-ID: 892b556c-afba-39f8-7d51-373270f8351c () powerdns ! com
[Download RAW message or body]
Hi Simon,
On 3/28/20 5:34 PM, Simon Erhardt via Pdns-users wrote:
> We use PowerDNS Recursor to intercept certain lookups and return values
> from a database instead. Therefore we use the Luad scripting capability.
> Now we noticed that requests with DNSSEC lose the set AD flag when a
> hook in the script of the request is marked as "handled" (by returning
> "true"). I don't know if this by design (which I can imagine), or if we
> are missing something.
Once the post-resolve hook indicated it 'took' the query (by returning
true), the recursor can not guarantee that the answer is unaltered or no
records are inserted. This is why the recursor *always* clears the
DNSSEC validation state when a `true` is returned.
As `postresolve` is called *after* resolution and validation has already
happened, PowerDNS won't revalidate. To ensure it does not lie to the
clients, the AD bit is never set [1].
I hope this clears up the confusion.
Best regards,
Pieter
1 -
https://github.com/PowerDNS/pdns/blob/dbcbb6820eab29a5da2ae51ae2321b8691fce938/pdns/pdns_recursor.cc#L1461-L1462
--
Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic