[dns-operations] 答复: 答复: DNS forwarder behavior on response with cname
ljsong at biigroup.cn
Thu Dec 13 09:29:47 UTC 2018
I tested on a signed domain with CNAME. You are correct. Instead of double-query the CNAME, the forwarder does the validation process, asking DNSKEY and DS of the last CNAME. But it requires the upstream resolver to turn on DNSSEC and send DO bit as well. If the upstream resolver is not a validating resolver, the forwarder returns SERVFAIL to client. Note that the forwarder is set forward only which means the forwarder does not look for the answer itself. It make no sense to choose a non-validating resolver as a upstream resolver when you want your forwarder to validate.
So the forwarder logic is clear:
1) If the answer with CNAMEs is not signed. It will send a same qtype query of the last CNAME. Double check the answer by re-querying against the same upstream resolver.
2) If the answer is signed and the forwarder is set as a validating resolver. The double-check behavior is replaced by a validation process. Again double check the answer by validating it.
It sounds to me that the forwarder is highly suspicious on the answer got from the upstream resolver which is chosen by the forward itself. I'm still confused on the forwarder behavior in which it sends the query twice to a the same upstream resolver or the answer is required to be validated twice (one by upstream resolver and one by the forwarder). It is hard for me to come up with reasonable cause for this behavior. Especially if a forwarder is configured as a large cache server in a network where both forwarder and upstream resolver are operated by same operator. That **behavior** is unacceptable.
I'm wondering whether it is a cause of DNS specification or DNS implementation. We need to fix it.
> 发件人: Stephane Bortzmeyer [mailto:bortzmeyer at nic.fr]
> 发送时间: 2018年12月11日 17:33
> 收件人: Davey宋
> 抄送: Stephane Bortzmeyer; dns-operations; 'p vixie'
> 主题: Re: 答复: DNS forwarder behavior on response with cname
> On Sat, Dec 08, 2018 at 07:18:05PM +0800,
> Davey宋 <ljsong at biigroup.cn> wrote
> a message of 29 lines which said:
> > Tested. Forwarder double-check even when dnssec is turn on. Some kinds
> > of inertia before DNSSEC?
> Or may be because the zone was not signed? Do you get the AD bit?
More information about the dns-operations