Skip to content

GitLab

  • Menu
Projects Groups Snippets
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • BIND BIND
  • Project information
    • Project information
    • Activity
    • Labels
    • Planning hierarchy
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 524
    • Issues 524
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 105
    • Merge requests 105
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • ISC Open Source Projects
  • BINDBIND
  • Issues
  • #997

Closed
Open
Created Apr 24, 2019 by Michał Kępień@michalOwner

NTAs do not work with "forward only;" to a validating resolver

If named is configured to perform DNSSEC validation and also forwards all queries (forward only;) to validating resolvers, negative trust anchors do not work properly because the CD bit is not set in queries sent to the forwarders. As a result, instead of retrieving bogus DNSSEC material and making validation decisions based on its configuration, named is only receiving SERVFAIL responses to queries for bogus data.

To reproduce the issue:

  1. Configure a named instance with forward only; forwarders { 2620:ff:c000:0:1::64:20; }; (OARC Validating Resolver)
  2. Add an NTA for dnssec-failed.org: rndc nta dnssec-failed.org.
  3. Send a query for bogus data: dig @localhost dnssec-failed.org. - it will SERVFAIL instead of returning an insecure response
Edited Apr 24, 2019 by Michał Kępień
Assignee
Assign to
Time tracking