[dns-operations] which breakage is this? FreeBSD.org / systemd-resolved

Philip Homburg philip.homburg at ripe.net
Mon Nov 2 11:35:01 UTC 2020

On 2020/11/02 2:53 , Mark Andrews wrote:
> DNSSEC requires intermediate resolvers to validate to defeat spoofed
> respones.  The validator is supposed to wait for the legitimate response
> to arrive.  If you don’t care about denial of service attacks caused
> by spoofed traffic then go ahead and always send CD=1.  There is no way
> to make a forwarder to send you *good* answers once it has learn a spoofed
> answer with CD=1.  You need CD=0 and validation by the forwarder to defeat
> spoofed traffic being sent to the forwarder.  You also need CD=0 and
> validation to recover from an authoritative server with an old version
> of the zone.

So it seems that setting CD=1 on AAAA queries (the only queries that get
spoffed by DNS64) is fine until there is a specific spoofing attack on
the DNS64 resolver. If the downstream, DNSSEC-validating resolver gets a
validation error, then sending the same AAAA query with CD=0 would flush
the cache of the upstream resolver.

This sounds like an annoying complication. But not the end of the world.

Unfortunately, some people really like the idea of NAT64 with DNS64. So
it is unlikely that it will go away by itself soon.

More information about the dns-operations mailing list