You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
What the title says. This causes +dnssec queries like dig +dnssec +noadflag SOA . to NOT return any DNSSEC record (NOTE: +noadflag tells the server that DNSSEC validation is not desired)
Furthermore hickory-dns does not set the DO in the queries that it sends out on behalf of a client thus not fulfilling the requirement in section 3.2.1 of RFC4035 (emphasis mine)
The resolver side of a security-aware recursive name server MUST set the DO bit when sending requests, regardless of the state of the DO bit in the initiating request received by the name server side.
Other DNS resolvers like BIND's named and unbound fulfill this requirement regardless of whether DNSSEC validation is enabled / enforced or not.
To Reproduce
Steps to reproduce the behavior:
Build hickory-dns with the following Cargo features: dnssec-openssl,recursor
Run hickory-dns with this configuration
named.toml
[[zones]]
zone = "."zone_type = "Hint"stores = { type = "recursor", roots = "/tmp/root.hints" }
Describe the bug
What the title says. This causes
+dnssec
queries likedig +dnssec +noadflag SOA .
to NOT return any DNSSEC record (NOTE:+noadflag
tells the server that DNSSEC validation is not desired)Furthermore hickory-dns does not set the DO in the queries that it sends out on behalf of a client thus not fulfilling the requirement in section 3.2.1 of RFC4035 (emphasis mine)
Other DNS resolvers like BIND's
named
andunbound
fulfill this requirement regardless of whether DNSSEC validation is enabled / enforced or not.To Reproduce
Steps to reproduce the behavior:
Build
hickory-dns
with the following Cargo features:dnssec-openssl,recursor
Run
hickory-dns
with this configurationnamed.toml
/tmp/root.hints
dig -p $PORT @127.0.0.1 +dnssec +noadflag SOA .
Expected behavior
The answer should have included DNSSEC records like RRSIG records. For example,
unbound
responds withunbound.conf
System:
rust:1-slim-bookworm
(Docker image)Version:
Crate:
hickory-dns
Version: 6334a01
Additional context
A test of the RFC requirement, that does not require internet access, can be found in the dnssec-tests repo
The text was updated successfully, but these errors were encountered: