Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
BIND
BIND
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 636
    • Issues 636
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 122
    • Merge Requests 122
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Incidents
    • Environments
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • CI/CD
    • Repository
    • Value Stream
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Members
    • Members
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • ISC Open Source Projects
  • BINDBIND
  • Issues
  • #997

Closed
Open
Created Apr 24, 2019 by Michał Kępień@michalMaintainer

NTAs do not work with "forward only;" to a validating resolver

If named is configured to perform DNSSEC validation and also forwards all queries (forward only;) to validating resolvers, negative trust anchors do not work properly because the CD bit is not set in queries sent to the forwarders. As a result, instead of retrieving bogus DNSSEC material and making validation decisions based on its configuration, named is only receiving SERVFAIL responses to queries for bogus data.

To reproduce the issue:

  1. Configure a named instance with forward only; forwarders { 2620:ff:c000:0:1::64:20; }; (OARC Validating Resolver)
  2. Add an NTA for dnssec-failed.org: rndc nta dnssec-failed.org.
  3. Send a query for bogus data: dig @localhost dnssec-failed.org. - it will SERVFAIL instead of returning an insecure response
Edited Apr 24, 2019 by Michał Kępień
Assignee
Assign to
None
Milestone
None
Assign milestone
Time tracking
None
Due date
None