[dns-operations] Fortinet contact? Problems with their public resolvers
Mark Andrews
marka at isc.org
Wed Jun 13 18:08:08 UTC 2018
> On 14 Jun 2018, at 12:53 am, Klaus Darilion <klaus.mailinglists at pernau.at> wrote:
>
>
>
> Am 13.06.2018 um 14:00 schrieb Daniel Stirnimann:
>> Hi Klaus,
>>
>>> $ dig @208.91.112.53 dnssec-signiert.at
>>
>> I noticed that 208.91.112.53 sets the CD-bit for upstream queries.
>>
>> I thinks this resolver expects the CD-bit to be copied to the response
>> (RFC 4035, 3.2.2. The CD Bit) which is not the case for the
>> authoritative name servers of goeast.ch, e.g.:
>
> Thanks for spotting this. IMO RFC4035 is a bit confusing:
>
> 3.1.6. The AD and CD Bits in an Authoritative Response
> ...
> A security-aware name server does not perform signature validation
> for authoritative data during query processing, even when the CD bit
> is clear. A security-aware name server SHOULD clear the CD bit when
> composing an authoritative response.
>
> I would mean that Bind, PowerDNS ... are security-aware as they deliver
> RRSIG, NSEC ,, records.
>
> Hence, I would read it as our PowerDNS is correct in clearing the CD
> flag and Bind as authoritative name server is wrong in reflecting the CD
> flag.
BIND can’t be wrong on a SHOULD. 0 or 1 is valid. :-)
That said the validator is wrong to test CD in the reply if it is doing so.
CD is a signal from the client to the server. It has no protocol meaning
in the reply. Copying it is for humans that read the response so they can
know if it was set in the request.
> So, shall I patch PowerDNS to mirror the flag although it behaves
> correct to make Fortinet customers happy? Hm...
>
> Thanks
> Klaus
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list