In message <a316d30a-6933-4ec8-b851-5bfae1276...@oneshoeco.com>, Tom Lanyon wri tes: > Hi list, > > Just wanted to check my understanding of BIND9's implementation of DNS64 agai > nst RFC 6147. > > Currently BIND9's "break-dnssec" defaults to "no" - in this configuration, a > security-aware & validating recursive resolver with will never synthesise a A > AAA record via DNS64 when queried with DO=1 irregardless of the CD bit.
No. If the answer is secure and DO=1 then it won't synthesis. RFC 6147 just gets DO and CD semantics completely wrong. The WG wanted there to be signaling that the client was going to validate and DNSSEC does not have such signaling. The best DNSSEC can do is DO=1 indicates that the client might validate. This is independent of CD. A validating stub resolver should send it queries with CD=0 so that the recursive server can filter out bad responses from upstream. Only if it gets SERVFAIL should it attempt the query with CD=1 in case the resolver has bad time or bad trust anchors. Named doesn't lie when DO=1 *and* it is possible to detect the lie. "break-dnssec yes;" tells named to lie even when it is possible to detect the lie. Stub resolvers don't currently set DO=1 so DNS64 synthesis happens for them. > When changing "break-dnssec" to "yes", querying with DO=1 will always trigger > synthesis of a DNS64 AAAA record, irregardless of the CD bit. > > Both of these configurations seem to conflict with the DNS64 RFC 6147, which > specifies that (so long as the upstream negative AAAA and positive A response > s validate) the recursive resolver can still synthesise the DNS64 AAAA when q > ueried with DO=1 and CD=0 but must return the answer with the AD bit set. On > ly when queried with both DO=1 and CD=1 must it not synthesise the DNS64 AAAA > . > > Is there any way to configure BIND9 to comply with this RFC 6147 behaviour? > We're on 9.8.2, but I couldn't find anything related in the CHANGES for eithe > r 9.8 or 9.9. > > Thanks, > Tom > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
