[dns-operations] chrome's 10 character QNAMEs to detect NXDOMAIN rewriting

Robert Edmonds edmonds at mycre.ws
Thu Nov 28 15:52:29 UTC 2013 

Mark Andrews wrote:
> In message <20131128000148.GA20782 at mycre.ws>, Robert Edmonds writes:
> > i'm curious as to exactly what this root zone slaved resolver
> > configuration looks like and how it would behave.  i don't believe i've
> > ever set up a resolver like that before.
> 
>   zone "." IN {
>       type slave;
>       file "slave/root";
>       masters { 192.5.5.241; };
>       notify no;
>   };
> 
> > if i understand things right, this config could only be achieved with
> > particular resolver implementations that combine authoritative and
> > recursive service into the same server, and the only implementation i
> > know of that does that is BIND 9.  i believe unbound, powerdns, BIND 10,
> > djbdns, etc. are all either recursive only, or split recursive and
> > authoritative service into separate daemons, afaik.  but i'm not
> > familiar with any of the closed source implementations.
> > 
> > if such a config is possible, how is it supposed to work with DNSSEC?
> > if the DNS server loads a bad copy of the root zone somehow during an
> > AXFR, does it use its configured root trust anchor to determine that its
> > copy of the zone doesn't validate, or does the act of configuring the
> > root zone as an authoritative zone make it more trustworthy, thus
> > overriding the need to do DNSSEC validation at the root level?
> 
> You can do stuff like this (cut-and-pasted from a live config).
> 
> managed-keys {
>         . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=";
> };
> 
> view "secure" {
>         match-clients { localnets; };
>         match-recursive-only yes;
>         zone . {
>                 type static-stub;
>                 server-addresses { 127.0.0.1; };
>         };
> };
> 
> view "external" {
>         match-clients { localnets; };
>         recursion no;
>         allow-recursion { none; };
> 
>   zone "." IN {
>       type slave;
>       file "slave/root";
>       masters { 192.5.5.241; };
>       notify no;
>   };
> };
> 
> The same trick can be used to validate data from other zones that
> are locally served.

so, just to be clear, this config snippet alone:

    zone "." IN {
        type slave;
        file "slave/root";
        masters { 192.5.5.241; };
        notify no;
    };

is not sufficient if one wants to both slave and validate the root zone?
this snippet will bypass DNSSEC validation if configured into a
recursive server?

-- 
Robert Edmonds

More information about the dns-operations mailing list