Lyle: If I understand your issue correctly, it is one that I also experienced when using a Windows 2008 R2 DNS server to forward to a BIND 9.8.0 recursive resolver configured to perform DNSSEC validation. By default Windows 2008 R2 DNS forwards queries with the CD flag set in the query, and it includes the OPT pseudo-resource record with the DO bit set. The meaning of this to the BIND resolver is supposed to be "don't bother checking DNSSEC validity" (CD bit set) and return DNSSEC information (DO bit set). Unfortunately Windows can't do its own DNSSEC validity checking since there is no way to successfully configure trust anchors, i.e. Windows DNS isn't really ready for DNSSEC prime time. Thus BIND returns answers to Windows even if DNSSEC validation would have failed.
You can alter these unfortunately configured flags in Windows DNS queries using the command: dnscmd /config /EnableEDnsProbes 0 The effect of this is to cause the Windows DNS server to send its queries without the OPT pseudo-resource record in the Additional Records section of the query. Thus there is no DO bit set, and as a fortunate side effect, the CD flag in the standard DNS query flags field is cleared as well. Under these circumstances, BIND will do DNSSEC validation properly as long as you have "dnssec-validation auto;" in the configuration. It will return proper SERVFAIL responses to Windows if DNSSEC validation fails. See "Dnscmd" at http://technet.microsoft.com/en-us/library/cc772069(WS.10).aspx for further details. Hope this is relevant and helpful. Jeff. Jeffry A. Spain Network Administrator Cincinnati Country Day School -----Original Message----- From: bind-users-bounces+spainj=countryday....@lists.isc.org [mailto:bind-users-bounces+spainj=countryday....@lists.isc.org] On Behalf Of Lyle Giese Sent: Tuesday, September 06, 2011 9:56 AM To: bind-us...@isc.org Subject: Bug in Bind 9.8 or am I doing something wrong? I was following Mark Andrew's discussion with a user about DNSSEC and played with it here and found an issue. Not sure if I am doing something wrong or if there is a bug somewhere. We have a Windows AD domain and use Bind 9.8 on our Linux servers for most DNS resolution. In order to politely setup things, I forwarded the queries for AD zones to the Windows server: zone "chaseprod.local"{ type forward; forwarders {10.0.100.205;};}; This seemed to work until I added some stuff for DNSSEC to my named.conf. In the global option section, I have: dnssec-enable yes; dnssec-validation auto; dnssec-lookaside auto; And as a general option, I added: include "/etc/bind.keys"; Under Bind 9.8.0-P4 and Bind 9.8.1 (compiled from source with no special options under SLES 10), resolution of a valid record in the forwarded zone fails when I added the above dnssec options: _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
