[dns-operations] Fortinet contact? Problems with their public resolvers
Klaus Darilion
klaus.mailinglists at pernau.at
Wed Jun 13 14:53:57 UTC 2018
Am 13.06.2018 um 14:00 schrieb Daniel Stirnimann:
> Hi Klaus,
>
>> $ dig @208.91.112.53 dnssec-signiert.at
>
> I noticed that 208.91.112.53 sets the CD-bit for upstream queries.
>
> I thinks this resolver expects the CD-bit to be copied to the response
> (RFC 4035, 3.2.2. The CD Bit) which is not the case for the
> authoritative name servers of goeast.ch, e.g.:
Thanks for spotting this. IMO RFC4035 is a bit confusing:
3.1.6. The AD and CD Bits in an Authoritative Response
...
A security-aware name server does not perform signature validation
for authoritative data during query processing, even when the CD bit
is clear. A security-aware name server SHOULD clear the CD bit when
composing an authoritative response.
I would mean that Bind, PowerDNS ... are security-aware as they deliver
RRSIG, NSEC ,, records.
Hence, I would read it as our PowerDNS is correct in clearing the CD
flag and Bind as authoritative name server is wrong in reflecting the CD
flag.
So, shall I patch PowerDNS to mirror the flag although it behaves
correct to make Fortinet customers happy? Hm...
Thanks
Klaus
More information about the dns-operations
mailing list