dnssec and PTR zones in knot dns resolver
Hi, maybe first the setup. Running a Debian Jessie / Stretch and using NSD as nameserver. NSD serves a number of purely internal zones, e.g. "mydomain.dmz" and "mydomain.pub" and so on. Then installing knot dns resolver from the repository you provide and get it running, e.g. by a config like:
--
-- Bind works well
--
net = { '127.0.0.1', '::1' }
net.listen ( net.eth0 )
user ( 'bind', 'bind' )
cache.size = 25*MB
modules = {
'hints',
'policy',
'view'
}
cache.open (25 * MB, 'lmdb:///var/run/knot-resolver')
cache.size = 25 * MB
trust_anchors.add_file ('/usr/share/dns/root.key', 'readonly=true')
modules = {
'hints',
'policy',
'view'
}
LocalDomains = policy.todnames ({
'example.dmz',
'example.pub',
'10.168.192.in-addr.arpa',
'11.168.192.in-addr.arpa',
'0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.3.a.2.e.4.1.8.8.0.4.d.f.ip6.arpa',
'0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.3.a.2.e.4.1.8.8.0.4.d.f.ip6.arpa'
})
trust_anchors.set_insecure ({
'10.168.192.in-addr.arpa',
'11.168.192.in-addr.arpa',
'0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.3.a.2.e.4.1.8.8.0.4.d.f.ip6.arpa',
'0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.3.a.2.e.4.1.8.8.0.4.d.f.ip6.arpa' })
trust_anchors.add_file ('/etc/nsd/ksk/Kexample.dmz.key', readonly)
trust_anchors.add_file ('/etc/nsd/ksk/Kexample.pub.key', readonly)
policy.add (
policy.suffix (
policy.FORWARD ({ '192.168.10.1@5353', '192.168.10.2@5353' }), LocalDomains
)
)
policy.add (
policy.all (
policy.FORWARD ({ '8.8.8.8', '8.8.4.4' })
)
)
So far so good. The keys are created with "ldns-keygen -a RSASHA256 -b 2048 -k example.com".
Doing a "dig" on some host, everything works as expected and I get a signed response. Doing a PTR dig, everything works well and I get a non-signed response. Doing a PTR dig on the IPv6, I get a "SERVFAIL" by knot dns resolver. Doing the PTR IPv6 dig directly on NSD, I get a response.
E.g.
dig something.example.com
; <<>> DiG 9.14.3 <<>> something.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22849
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;something.example.com. IN A
;; ANSWER SECTION:
something.example.com. 251185 IN A 192.168.11.5
;; Query time: 1 msec
;; SERVER: 192.168.10.1#53(192.168.10.1)
;; WHEN: lun. juil. 15 19:56:35 CEST 2019
;; MSG SIZE rcvd: 63
dig -t PTR 5.11.168.192.in-addr.arpa
; <<>> DiG 9.14.3 <<>> -t PTR 5.11.168.192.in-addr.arpa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34131
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;5.11.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
5.11.168.192.in-addr.arpa. 251159 IN PTR something.example.com.
;; Query time: 1 msec
;; SERVER: 192.168.10.1#53(192.168.10.1)
;; WHEN: lun. juil. 15 19:56:58 CEST 2019
;; MSG SIZE rcvd: 86
dig -t PTR 5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.3.a.2.e.4.1.8.8.0.4.d.f.ip6.arpa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 45840
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.3.a.2.e.4.1.8.8.0.4.d.f.ip6.arpa. IN PTR
;; Query time: 2 msec
;; SERVER: 192.168.10.1#53(192.168.10.1)
;; WHEN: lun. juil. 15 19:59:41 CEST 2019
;; MSG SIZE rcvd: 101
dig -t PTR 5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.3.a.2.e.4.1.8.8.0.4.d.f.ip6.arpa @192.168.10.1 -p5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40316
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.3.a.2.e.4.1.8.8.0.4.d.f.ip6.arpa. IN PTR
;; ANSWER SECTION:
5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.3.a.2.e.4.1.8.8.0.4.d.f.ip6.arpa. 259200 IN PTR radius.arrishq.dmz.
;; AUTHORITY SECTION:
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.3.a.2.e.4.1.8.8.0.4.d.f.ip6.arpa. 259200 IN NS ns1.example.dmz.
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.3.a.2.e.4.1.8.8.0.4.d.f.ip6.arpa. 259200 IN NS ns2.example.dmz.
;; Query time: 1 msec
;; SERVER: 192.168.10.1#5353(192.168.10.1)
;; WHEN: lun. juil. 15 20:03:24 CEST 2019
;; MSG SIZE rcvd: 169
Disabling dnssec in the knot dns resolver configuration and changing nothing else, thing start working as expected.
The used version is "4.1.0", with the only change that I manually overwrite the systemd dependency because I'm using a different init system.
Loading kresd directly via CLI:
[system] bind to 'fe80::abcd:edfg:hijk:lmno@53' (UDP): Invalid argument
[ ta ] warning: overriding previously set trust anchors for .
[system] interactive mode
> [ta_update] refreshing TA for example.dmz.
[ta_update] refreshing TA for example.pub.
[ta_update] key: 49312 state: Valid
[ta_update] next refresh for example.dmz. in 1 hours
[ta_update] key: 14881 state: Valid
[ta_update] next refresh for example.pub. in 1 hours
Maybe it's just a layer 8 problem, maybe.