[dns-operations] Fortinet contact? Problems with their public resolvers

Klaus Darilion klaus.mailinglists at pernau.at
Wed Jun 13 14:53:57 UTC 2018



Am 13.06.2018 um 14:00 schrieb Daniel Stirnimann:
> Hi Klaus,
> 
>> $ dig @208.91.112.53 dnssec-signiert.at
> 
> I noticed that 208.91.112.53 sets the CD-bit for upstream queries.
> 
> I thinks this resolver expects the CD-bit to be copied to the response
> (RFC 4035, 3.2.2.  The CD Bit) which is not the case for the
> authoritative name servers of goeast.ch, e.g.:

Thanks for spotting this. IMO RFC4035 is a bit confusing:

3.1.6.  The AD and CD Bits in an Authoritative Response
...
   A security-aware name server does not perform signature validation
   for authoritative data during query processing, even when the CD bit
   is clear.  A security-aware name server SHOULD clear the CD bit when
   composing an authoritative response.

I would mean that Bind, PowerDNS ... are security-aware as they deliver
RRSIG, NSEC ,, records.

Hence, I would read it as our PowerDNS is correct in clearing the CD
flag and Bind as authoritative name server is wrong in reflecting the CD
flag.

So, shall I patch PowerDNS to mirror the flag although it behaves
correct to make Fortinet customers happy? Hm...

Thanks
Klaus




More information about the dns-operations mailing list