Allow response with AD bit in resolver
Kirill A. Korinsky
kirill at korins.ky
Mon Jun 17 09:22:24 UTC 2024
On Mon, 17 Jun 2024 00:21:27 +0100,
J Carter <jordanc.carter at outlook.com> wrote:
>
> Well *I* quite agree.
>
> I would also suggest that as DNS functionality in nginx is strictly
> limited to resolving as client in quite a simplistic fashion, and nginx
> does not support DNSSEC, it makes little sense to hyper-strict about
> the DNSSEC extension bits in general regardless of what is written in
> the RFCs.
>
> Perhaps it would be better if the patch linked to in my previous
> response was bumped and reconsidered over your patch, as that would also
> ignore incorrectly set CD bit in addition to ignoring AD bit, which
> also appears to be a common issue with certain recursive resolvers.
Well, the CD bit means that this response contains a response that fails
DNSSEC, but for some reason was sent back.
I've checked unbound and it returns SERVFAIL in such case, or wit no CD bit
enabled if DNSSEC validation is off.
Also, I've checked OpenBSD's unwind, which is libunbound-based, which has
the accept bogus option for forwarder to tolerate invalid DNSSEC.
Finally, I've tested a random WiFi router running dnsmasq (confirmed by
fpdns) and it also returns SERVFAIL with broken DNSSEC.
Do you have an example of zone and resolver that will set CD bit?
--
wbr, Kirill
More information about the nginx
mailing list