Previous Message Next Message
Forum List Message List New Topic Print View
Maxim Dounin
May 01, 2022 11:38AM
Hello!

On Sun, May 01, 2022 at 06:45:32AM +0000, Aleksei Bavshin via nginx-devel wrote:

> A correct nameserver implementation should not be sending any of these flags to a non-security aware client. CD must be copied from a query to the corresponding response, and AD must only be set if all the RRsets are authentic and DO or AD were present in the query. The behavior was allowed in the early DNSSEC standards, though, and the prohibition in the RFC is not strict. The change is, in fact, motivated by a report about some DNS server passing CD in a response to the nginx resolver.
>
> There's a valid concern that CD may mean that the upstream nameserver did not check the response signatures and passed the answer as is. There's nothing we can do with such nameserver from the nginx side, though - we can't prevent it from sending unexpected or unchecked responses. And there's already an error message if an RRSIG record makes it to the answer we receive:
> 2022/04/28 17:34:10 [error] 27847#27847: unexpected RR type 46 in DNS response
>
> # HG changeset patch
> # User Aleksei Bavshin <a.bavshin@f5.com>
> # Date 1651176054 25200
> # Thu Apr 28 13:00:54 2022 -0700
> # Node ID 5a570e610b375d1f3442a5b0fc1844be3909d103
> # Parent a736a7a613ea6e182ff86fbadcb98bb0f8891c0b
> Resolver: relax validation of response flags to allow AD and CD
>
> The check introduced in aebdca7e8f8f was using reserved must-be-zero bits
> definition from RFC1035. Later RFCs for DNS Security Extensions (4035 & 6840)
> allocated AD and CD from these reserved bits.
>
> It's said that AD and CD SHOULD only appear in the reply for a query from
> a security aware resolver, but that is not a strict prohibition, and it was
> not included in the early set of DNSSEC RFCs. We may encounter these bits in
> a reply when the upstream nameserver implements pre-RFC4035 (with RFC6840
> clarifications) standard or uses overly aggressive caching.

Thank you for the patch.

Quoting RFC 4035, section 3:

... The CD bit
is controlled by resolvers; a security-aware name server MUST copy
the CD bit from a query into the corresponding response.

That is, response with CD bit set strictly prohibited by RFC 4035
unless it was set by the resolver, i.e., nginx.

Similarly, presence of the AD bit, while not strictly prohibited
by RFC 6840 (which only says "SHOULD only set the AD bit" when
talking to a security-aware resolver), is a clear violation of RFC
1035. If it appears in the response, this indicates that the DNS
server is not expected to be used with non-security-aware
resolvers, such as the one in nginx.

Summing the above, unless there are practical reasons for the
change, a better approach might be to fix affected DNS servers, if
any, or switch to using more interoperable DNS servers with nginx.

Hope this helps.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx-devel mailing list -- nginx-devel@nginx.org
To unsubscribe send an email to nginx-devel-leave@nginx.org
Reply Quote
RSS
Subject Author Views Posted

[PATCH] Resolver: relax validation of response flags to allow AD and CD

Aleksei Bavshin via nginx-devel 561 May 01, 2022 02:48AM

Re: [PATCH] Resolver: relax validation of response flags to allow AD and CD

Maxim Dounin 267 May 01, 2022 11:38AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 311
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready