Page MenuHomePhabricator

Enable DNSSEC in DNS forwarder
Closed, ResolvedPublicFEATURE REQUEST

Description

Could we add an option to enable dnssec?

https://doc.powerdns.com/md/recursor/dnssec/

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close

Event Timeline

mb300sd created this task.Jul 28 2018, 5:06 AM
mb300sd claimed this task.Aug 2 2018, 7:59 PM
mb300sd closed this task as Resolved.

Looks like it was merged, closing, thanks :)

This feature is great but it looks buggy to me.

I set the dnssec value to log-fail but the server returns me SERVFAIL.
I run the same command to my DNS resolver and the VyOS router which use the previous DNS resolver.

Here is the command to call the VyOS DNS service:

dig dnssec-debugger.verisignlabs.com +dnssec +multi @192.168.1.50

Which returns:

; <<>> DiG 9.13.5 <<>> dnssec-debugger.verisignlabs.com +dnssec +multi @192.168.1.50
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 6898
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;dnssec-debugger.verisignlabs.com. IN A

;; Query time: 28 msec
;; SERVER: 192.168.1.50#53(192.168.1.50)
;; WHEN: mer. janv. 09 17:56:00 CET 2019
;; MSG SIZE  rcvd: 50

And if I run the same command to the initial resolver:

dig dnssec-debugger.verisignlabs.com +dnssec +multi @192.168.1.10

I got:

; <<>> DiG 9.13.5 <<>> dnssec-debugger.verisignlabs.com +dnssec +multi @192.168.1.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7998
;; flags: qr; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;dnssec-debugger.verisignlabs.com. IN A

;; ANSWER SECTION:
dnssec-debugger.verisignlabs.com. 2160 IN CNAME	webapps.verisignlabs.com.
webapps.verisignlabs.com. 2160 IN A 209.112.118.114
webapps.verisignlabs.com. 2160 IN A 69.36.150.30

;; Query time: 0 msec
;; SERVER: 192.168.1.10#53(192.168.1.10)
;; WHEN: mer. janv. 09 17:56:06 CET 2019
;; MSG SIZE  rcvd: 200

Is it a VyOS bug or not?
My setup is pretty simple at this level and I don't know where this can come from.

Any idea where this can come from?

Thank you for all

c-po added a subscriber: c-po.Jan 9 2019, 5:46 PM

@alexandrestein can you share your complete dns forwarding config node please?

Thank you for this very quick response.
I will be out for the night after this message.

Here is my full service > dns configuration:

dns {
    forwarding {
        cache-size 0
        dnssec log-fail
        domain mabbox.bytel.fr {
            server 192.168.77.1
        }
        listen-address 192.168.1.50
        name-server 192.168.1.10
    }
}

It's very simple.
Is there an issue?

c-po added a comment.Jan 9 2019, 6:28 PM

No issue known but it eases reproducibility