dnssec: process-no-validate (!17) · Merge requests · LibreOps / radicalDNS

ebal requested to merge dnssec_process into master Jul 25, 2021

In PowerDNS Recursor v4.5.0 the dnssec option changed from process with no validation --> validate dnssec (process) when the DO bit in query is enabled.

Restarting powerdns-recursor, we 've noticed the below error:

Got Bogus validation result for .|NS")

that according to source code: res=sr.beginResolve(g_rootdnsname, QType::NS, 1, ret, depth + 1);

Although powerdns-recursor was running successful, by

dig google.com (bind) we got not response for records, but with kdig google.com (knot) we were getting responses.

That means that dig, sends by default either CD or DO flag to requests.

As RadicalDNS' powerdns-recursor do not validate dnssec, was replying empty responses with dig but worked okay with kdig.

Seems this option change is by design in 4.5.x

More Info:

https://doc.powerdns.com/recursor/settings.html#dnssec

Changed in vers 4.5.0: The default changed from process-no-validate to process

process-no-validate: Respond with DNSSEC records to clients that ask for it, set the DO bit on all outgoing queries. Don’t do any validation.

process: Respond with DNSSEC records to clients that ask for it, set the DO bit on all outgoing queries. Do validation for clients that request it (by means of the AD- bit or DO-bit in the query).

Edited Jul 25, 2021 by ebal

dnssec: process-no-validate

Merge request reports