When forwarding a query to a non-DNSSEC nameserver, don't verify the lack of DNSSEC.

The man page says that we don't do DNSSEC on forwarded domains, but if you turn on dnssec_check_signatures this turns out to be untrue, because we try to build up a DS chain to them. Since forwarded domains are usually used for split DNS to hidden domains, they're unlikely to verify to the DNS root anyway, so the way to do DNSSEC for them (as the manual says) is to provide a trust anchor for each forwarder. The problem I've run into is a split DNS setup where I want DNSSEC to work mostly, but one of the forwarding domains doesn't have an internal DNSSEC capable resolver. Without this patch the entire domain goes unresolvable because the DS record query to the internal resolver returns a failure which is interpreted as the domain being BOGUS. The fix is not to do the DS record chase for forwarded domains.

When forwarding a query to a non-DNSSEC nameserver, don't verify the lack of DNSSEC.
The man page says that we don't do DNSSEC on forwarded domains, but if you turn on dnssec_check_signatures this turns out to be untrue, because we try to build up a DS chain to them. Since forwarded domains are usually used for split DNS to hidden domains, they're unlikely to verify to the DNS root anyway, so the way to do DNSSEC for them (as the manual says) is to provide a trust anchor for each forwarder. The problem I've run into is a split DNS setup where I want DNSSEC to work mostly, but one of the forwarding domains doesn't have an internal DNSSEC capable resolver. Without this patch the entire domain goes unresolvable because the DS record query to the internal resolver returns a failure which is interpreted as the domain being BOGUS. The fix is not to do the DS record chase for forwarded domains.
e33b4870 · James Bottomley · Simon Kelley · ad59f278 · e33b4870
Commit e33b4870 authored Mar 17, 2017 by James Bottomley Committed by Simon Kelley Mar 17, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 2 deletions

src/forward.c src/forward.c +3 -2

No files found.
--- a/src/forward.c
+++ b/src/forward.c
@@ -897,7 +897,7 @@ void reply_query(int fd, int family, time_t now)
 		    status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
 		  else
 		    status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class, 
-						   option_bool(OPT_DNSSEC_NO_SIGN), NULL, NULL);
+						   option_bool(OPT_DNSSEC_NO_SIGN) && (server->flags && SERV_DO_DNSSEC), NULL, NULL);
 		}
 	      
 	      /* Can't validate, as we're missing key data. Put this
@@ -1476,7 +1476,8 @@ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, si
      else if (status == STAT_NEED_DS)
 	new_status = dnssec_validate_ds(now, header, n, name, keyname, class);
      else 
-	new_status = dnssec_validate_reply(now, header, n, name, keyname, &class, option_bool(OPT_DNSSEC_NO_SIGN), NULL, NULL);
+	new_status = dnssec_validate_reply(now, header, n, name, keyname, &class,
+					   option_bool(OPT_DNSSEC_NO_SIGN) && (server->flags && SERV_DO_DNSSEC), NULL, NULL);
      
      if (new_status != STAT_NEED_DS && new_status != STAT_NEED_KEY)
 	break;