Allow response with AD bit in resolver

J Carter jordanc.carter at outlook.com
Sun Jun 16 23:21:27 UTC 2024


Hello,

On Sun, 16 Jun 2024 10:07:28 +0100
Kirill A. Korinsky <kirill at korins.ky> wrote:

> On Sun, 16 Jun 2024 02:45:15 +0100,
> J Carter <jordanc.carter at outlook.com> wrote:
> > 
> > Sounds familiar :)
> > 
> > https://mailman.nginx.org/pipermail/nginx-devel/2022-May/YQ3MYP4VNQYWEJS3XYLPMU4HZUKS4PYF.html
> 
> Unfortunately, the AD bit is set by the libunbound-based resolver when it is
> configured to use an upstream forwarder that also supports security.
> 
> My guess is that unbound uses itself as DNS client in this case and set such
> bit to request to the upstream.
> 
> Probably it can be fixed in unbound / libunbound, but such behavior exists
> right now and affects many different devices...
> 
> Thus, RFC 6840 suggested to set such bit when a request has one, but not
> required, which means that current logic of libunbound RFC complaint, and
> nginx is violating by rejecting such a request.
> 

Well *I* quite agree. 

I would also suggest that as DNS functionality in nginx is strictly
limited to resolving as client in quite a simplistic fashion, and nginx
does not support DNSSEC, it makes little sense to hyper-strict about
the DNSSEC extension bits in general regardless of what is written in
the RFCs.

Perhaps it would be better if the patch linked to in my previous
response was bumped and reconsidered over your patch, as that would also
ignore incorrectly set CD bit in addition to ignoring AD bit, which
also appears to be a common issue with certain recursive resolvers.


More information about the nginx mailing list