[dns-operations] 答复: 答复: DNS forwarder behavior on response with cname

Mark Andrews marka at isc.org
Fri Dec 14 21:28:45 UTC 2018

> On 14 Dec 2018, at 11:23 pm, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
> On Thu, Dec 13, 2018 at 05:29:47PM +0800,
> Davey Song <ljsong at biigroup.cn> wrote 
> a message of 57 lines which said:
>> it requires the upstream resolver to turn on DNSSEC and send DO bit
>> as well. If the upstream resolver is not a validating resolver,
> Be careful: sending the DO bit and validating are two different
> things. IMHO, for the first (closest from the user) resolver to
> validate, there is no need for its upstream resolver to validate. The
> DO bit in the upstream is enough.

Actually it isn’t.  You can get away with just DO=1 without validating
most of the time but there are scenarios where that fails.  Just send
CD=1 DOES NOT WORK.  It is BAD advice.  Named doesn’t follow it because
it is BAD advice.

When forwarder is being sent spoofed responses they get passed downstream
unvalidated and it stops waiting for a good response.  Repeat at infinitum.

When the forwarder validates the spoofed responses it get rejected and forwarder
waits for the response from the authoritative server which passes validation
and gets passed down stream.

Remember when you are using a forwarder there is no direct access to the
authoritative servers so the recovery mechanisms of “wait” and “try another
server” don’t really work.

I know people would like to reduce the work load on the forwarder but for
DNSSEC to actually work it has to be set up to validate.  Validators behind
forwarders *need* to switch between CD=0 and CD=1 queries.  The two query
types deal with different failure scenarios.

If you send CD=1 queries initially you should re-send with CD=0 on validation
failures.  If you send CD=0 initially you should re-send with CD=1 on SERVFAIL
responses as they may be due to validation failures.

>> It make no sense to choose a non-validating resolver as a upstream
>> resolver when you want your forwarder to validate.
> This is false: the upstream resolver just has to be DNSSEC-enabled,
> not DNSSEC-validating.
> The rest of your message should be clarified, by taking into account
> that sending-DO ≠ validating.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the dns-operations mailing list