Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

hickory-dns resolver does not honor the DO bit in client's queries #2193

Open
japaric opened this issue Apr 24, 2024 · 0 comments
Open

hickory-dns resolver does not honor the DO bit in client's queries #2193

japaric opened this issue Apr 24, 2024 · 0 comments

Comments

@japaric
Copy link

japaric commented Apr 24, 2024

Describe the bug
What the title says. This causes +dnssec queries like dig +dnssec +noadflag SOA . to NOT return any DNSSEC record (NOTE: +noadflag tells the server that DNSSEC validation is not desired)

Furthermore hickory-dns does not set the DO in the queries that it sends out on behalf of a client thus not fulfilling the requirement in section 3.2.1 of RFC4035 (emphasis mine)

The resolver side of a security-aware recursive name server MUST set the DO bit when sending requests, regardless of the state of the DO bit in the initiating request received by the name server side.

Other DNS resolvers like BIND's named and unbound fulfill this requirement regardless of whether DNSSEC validation is enabled / enforced or not.

To Reproduce
Steps to reproduce the behavior:

  1. Build hickory-dns with the following Cargo features: dnssec-openssl,recursor

  2. Run hickory-dns with this configuration

  • named.toml
[[zones]]
zone = "."
zone_type = "Hint"
stores = { type = "recursor", roots = "/tmp/root.hints" }
  1. perform the query dig -p $PORT @127.0.0.1 +dnssec +noadflag SOA .
(..)
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
(..)
;; ANSWER SECTION:
.			86400	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2024042400 1800 900 604800 86400

Expected behavior
The answer should have included DNSSEC records like RRSIG records. For example, unbound responds with

(..)
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
(..)
;; ANSWER SECTION:
.			86400	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2024042400 1800 900 604800 86400
.			86400	IN	RRSIG	SOA 8 0 86400 20240507050000 20240424040000 5613 . (.. omitted signature ..)
unbound.conf 
server:
    verbosity: 4
    directory: /tmp/unbound
    use-syslog: no
    username: ""
    chroot: ""
    interface: 127.0.0.1
    port: 1053
    access-control: 127.0.0.1/16 allow

System:

  • OS: Debian (Linux)
  • Architecture: x86_64
  • Version rust:1-slim-bookworm (Docker image)
  • rustc version: 1.77.2

Version:
Crate: hickory-dns
Version: 6334a01

Additional context
A test of the RFC requirement, that does not require internet access, can be found in the dnssec-tests repo
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@japaric