RPZ breaks DNSSEC signed langing page redirect

Fri, 23 Dec 2016 02:34:31 -0800 

Hi all,

We use RPZ to block malicious domain names. Specifically, we redirect to
a landing page. Our landing page (landingpage.ph.rpz.switch.ch) is
DNSSEC signed. However, if I get a RPZ response from our validating dns
resolver it omits any RRSIG. Example:

dig @<resolver> www.oyubaimai[.]top +dnssec

; <<>> DiG 9.11.0rc1 <<>> @<resolver> www.oyubaimai[.]top +dnssec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52312
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 4442932ac258891044299f27585cf4bf66cb7f09a55cc096 (good)
;; QUESTION SECTION:
;www.oyubaimai[.]top.           IN      A

;; ANSWER SECTION:
www.oyubaimai[.]top.    5       IN      CNAME   landingpage.ph.rpz.switch.ch.
landingpage.ph.rpz.switch.ch. 86400 IN  A       130.59.118.29

;; AUTHORITY SECTION:
switch.ch.              3463    IN      NS      nsa-p.dnsnode.net.
switch.ch.              3463    IN      NS      ns2.switch.ch.
switch.ch.              3463    IN      NS      scsnms.switch.ch.

;; ADDITIONAL SECTION:
ns2.switch.ch.          3463    IN      AAAA    2001:620:0:ff::2f
scsnms.switch.ch.       3463    IN      AAAA    2001:620:0:ff::a7
ns2.switch.ch.          3463    IN      A       130.59.31.29
scsnms.switch.ch.       3463    IN      A       130.59.31.26

Note, our BIND RPZ configuration does not use "break-dnssec yes" (it
does not matter in this case). www.oyubaimai[.]top is not DNSSEC signed.
landingpage.ph.rpz.switch.ch is DNSSEC signed.

Our DNS resolvers are not only used by stub resolvers but by DNS
resolvers using DNS forwarding as well. I wonder what happens if DNS
forwarding resolvers do DNSSEC validation? It looks like they would
return SERVFAIL to the user as the RPZ response omits any RRSIG for the
landing page.

Is this a BIND bug or a side effect of RPZ? As a work around, I could
leave rpz.switch.ch unsigned to work around this problem.

Daniel
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to