Skip to content

synth-from-dnssec might prevent resolution of grafted (non-delegated) namespaces

Summary

This is all about setup where delegation chain is incomplete and named.conf is configured to "graft" a domain without delegation.

Example setup:

  • public root zone does not have delegation for internal
  • named.conf contains forwarding or stub zone for test.internal

BIND version used

Steps to reproduce

  1. Configure graft:
options {
	validate-except { internal; };
	synth-from-dnssec yes;
};

zone test.internal {
	type forward;
	forwarders { 192.0.2.1; };
	forward only;
};
  1. Query for internal2 to populate cache with proof-of-nonexistence from the root zone:
# dig internal2
  1. Query for a name inside the grafted domain:
# dig bla.test.internal

What is the current behavior?

Synthesized NXDOMAIN, based on proof from the root:

;; AUTHORITY SECTION:
.			86399	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2022061400 1800 900 604800 86400

What is the expected (not necessarily correct!) behavior?

A customer was surprised by this after upgrade from v9.16 to v9.18. Technically this is incorrect configuration and qualifies as squatting on a ICANN namespace, but it might not be as rare as we would wish.

Relevant configuration files

Tested variants with the same result:

  • validate-except { test.internal; };
  • static-stub zone for test.internal
  • primary zone for internal + forward zone for test.internal without delegation
  • primary zone for internal + forward zone for test.internal with a "fake" delegation from internal. to test.internal - this surprised me
  • primary zone for internal + static-stub zone for test.internal with a "fake" delegation from internal. to test.internal - this surprised me (empty.db named.conf)

Possible approaches

We need to discuss what's the best approach to this protocol-wise invalid configuration. Variants I came up with:

  • Leave it as it is and let users suffer consequences of non-compliant configurations.
  • Except zones listed in validate-except also from synth-from-dnssec.
  • Introduce a new knob for exceptions, like synth-from-dnssec-except.
  • Ignore proofs of nonexistence from parent zones for explicitly configured zones (does not include type forward because it's not in the zone table)
  • Ignore proofs of nonexistence from parent zones for explicitly configured grafts (includes local zones + the forward table)
Edited by Michał Kępień
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information