You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, the recursive resolver (AKA "recursor") component of the hickory-dns binary has DNSSEC validation disabled and cannot be enabled through its configuration options.
We want to be able to enable DNSSEC validation in the resolver.
Use cases
We want to support these use cases:
DNSSEC validation is disabled
DNSSEC validation is enabled
and when DNSSEC validation is enabled we have these sub- use cases:
use a static user-provided / externally-managed trust anchor
use a self-managed trust anchor, which is automatically updated given an initial trust anchor. see RFC5011
Prior art
unbound
To enable DNSSEC validation and use an externally-managed trust anchor, one has to set the server.trust-anchor-file setting to the path to the trust anchor file
server:
trust-anchor-file: /etc/trust-key.key
To enable DNSSEC validation and use a self-managed (RFC5011) trust anchor, one has to set the server.auto-trust-anchor-file setting to the path to an initial trust anchor file
In both cases, the syntax of the trust anchor file is a newline-separated list of DNS records:
. 86400 IN DNSKEY 257 3 7 (.. omitted base64-encoded data ..)
. 86400 IN DNSKEY 256 3 7 (.. omitted base64-encoded data ..)
BIND (named)
named's configuration syntax is more complex. In the named.conf file, DNSSEC validation can be enabled / disabled using the options.dnssec-validation option:
options {
dnssec-validation auto;
}
The trust anchor is configured in the file /etc/bind/bind.keys, which uses BIND-specific syntax instead of the DNS record syntax.
The static-key column indicates whether the key is externally managed (static-key) or managed according to RFC5011 (initial-key).
Current state
The recursive resolver component is enabled and configured using a [[zones]] section that looks like this:
[[zones]]
zone = "."zone_type = "Hint"stores = { type = "recursor", roots = "/tmp/root.hints" }
Where the stores entry corresponds to RecursiveConfig when type is recursor.
Proposal
Although hickory-dns configuration file is modeled after (BIND) named's configuration file, I would propose using a configuration syntax closer to unbound's. Namely, adding these two fields to RecursiveConfig
pubstructRecursiveConfig{pubroots:PathBuf,pubns_cache_size:usize,pubrecord_cache_size:usize,/// Path to trust anchor filepubtrust_anchor_file:Option<PathBuf>,/// Whether to manage the trust anchor file using RFC5011 or not (default: false)pubrfc5011:bool,}
trust_anchor_file
rfc5011
DNSSEC validation
None
_
No
Some(_)
false
Yes, trust_anchor_file is static key
Some(_)
true
Yes, use RFC5011; trust_anchor_file is initial key
The syntax of the trust anchor file will be a newline-separated list of DNS records, either DS or DNSKEY records
This proposal can be implemented incrementally. We can add only trust_anchor_file first and only support static keys. We can then add rfc5011 when RFC5011 is implemented (if we want to implement it).
Alternatives
If we foresee supporting different trust anchor management strategies we could use a single enum field instead of an extra boolean field. Something like this:
pubstructRecursiveConfig{pubroots:PathBuf,pubns_cache_size:usize,pubrecord_cache_size:usize,pubdnssec_validation:DnssecValidation,}#[non_exhaustive]pubenumDnssecValidation{Disabled,// RFC5011InitialKey{file:PathBuf},// externally-managed keyStaticKey{file:PathBuf},// .. other strategies ..}
The text was updated successfully, but these errors were encountered:
Motivation
Currently, the recursive resolver (AKA "recursor") component of the
hickory-dns
binary has DNSSEC validation disabled and cannot be enabled through its configuration options.We want to be able to enable DNSSEC validation in the resolver.
Use cases
We want to support these use cases:
and when DNSSEC validation is enabled we have these sub- use cases:
Prior art
unbound
To enable DNSSEC validation and use an externally-managed trust anchor, one has to set the
server.trust-anchor-file
setting to the path to the trust anchor fileTo enable DNSSEC validation and use a self-managed (RFC5011) trust anchor, one has to set the
server.auto-trust-anchor-file
setting to the path to an initial trust anchor fileAn initial trust anchor file can be generated using the
unbound-anchor
tool.More details about
auto-trust-anchor-file
andunbound-anchor
can be found in https://nlnetlabs.nl/documentation/unbound/howto-anchor/In both cases, the syntax of the trust anchor file is a newline-separated list of DNS records:
BIND (
named
)named
's configuration syntax is more complex. In thenamed.conf
file, DNSSEC validation can be enabled / disabled using theoptions.dnssec-validation
option:The trust anchor is configured in the file
/etc/bind/bind.keys
, which uses BIND-specific syntax instead of the DNS record syntax.The
static-key
column indicates whether the key is externally managed (static-key
) or managed according to RFC5011 (initial-key
).Current state
The recursive resolver component is enabled and configured using a
[[zones]]
section that looks like this:Where the
stores
entry corresponds toRecursiveConfig
whentype
isrecursor
.Proposal
Although
hickory-dns
configuration file is modeled after (BIND)named
's configuration file, I would propose using a configuration syntax closer tounbound
's. Namely, adding these two fields toRecursiveConfig
trust_anchor_file
rfc5011
None
_
Some(_)
false
trust_anchor_file
is static keySome(_)
true
trust_anchor_file
is initial keyThe syntax of the trust anchor file will be a newline-separated list of DNS records, either DS or DNSKEY records
This proposal can be implemented incrementally. We can add only
trust_anchor_file
first and only support static keys. We can then addrfc5011
when RFC5011 is implemented (if we want to implement it).Alternatives
If we foresee supporting different trust anchor management strategies we could use a single
enum
field instead of an extra boolean field. Something like this:The text was updated successfully, but these errors were encountered: