[PATCH] Resolver: relax validation of response flags to allow AD and CD
mdounin at mdounin.ru
Sun May 1 15:37:40 UTC 2022
On Sun, May 01, 2022 at 06:45:32AM +0000, Aleksei Bavshin via nginx-devel wrote:
> A correct nameserver implementation should not be sending any of these flags to a non-security aware client. CD must be copied from a query to the corresponding response, and AD must only be set if all the RRsets are authentic and DO or AD were present in the query. The behavior was allowed in the early DNSSEC standards, though, and the prohibition in the RFC is not strict. The change is, in fact, motivated by a report about some DNS server passing CD in a response to the nginx resolver.
> There's a valid concern that CD may mean that the upstream nameserver did not check the response signatures and passed the answer as is. There's nothing we can do with such nameserver from the nginx side, though - we can't prevent it from sending unexpected or unchecked responses. And there's already an error message if an RRSIG record makes it to the answer we receive:
> 2022/04/28 17:34:10 [error] 27847#27847: unexpected RR type 46 in DNS response
> # HG changeset patch
> # User Aleksei Bavshin <a.bavshin at f5.com>
> # Date 1651176054 25200
> # Thu Apr 28 13:00:54 2022 -0700
> # Node ID 5a570e610b375d1f3442a5b0fc1844be3909d103
> # Parent a736a7a613ea6e182ff86fbadcb98bb0f8891c0b
> Resolver: relax validation of response flags to allow AD and CD
> The check introduced in aebdca7e8f8f was using reserved must-be-zero bits
> definition from RFC1035. Later RFCs for DNS Security Extensions (4035 & 6840)
> allocated AD and CD from these reserved bits.
> It's said that AD and CD SHOULD only appear in the reply for a query from
> a security aware resolver, but that is not a strict prohibition, and it was
> not included in the early set of DNSSEC RFCs. We may encounter these bits in
> a reply when the upstream nameserver implements pre-RFC4035 (with RFC6840
> clarifications) standard or uses overly aggressive caching.
Thank you for the patch.
Quoting RFC 4035, section 3:
... The CD bit
is controlled by resolvers; a security-aware name server MUST copy
the CD bit from a query into the corresponding response.
That is, response with CD bit set strictly prohibited by RFC 4035
unless it was set by the resolver, i.e., nginx.
Similarly, presence of the AD bit, while not strictly prohibited
by RFC 6840 (which only says "SHOULD only set the AD bit" when
talking to a security-aware resolver), is a clear violation of RFC
1035. If it appears in the response, this indicates that the DNS
server is not expected to be used with non-security-aware
resolvers, such as the one in nginx.
Summing the above, unless there are practical reasons for the
change, a better approach might be to fix affected DNS servers, if
any, or switch to using more interoperable DNS servers with nginx.
Hope this helps.
More information about the nginx-devel