> Our DNS resolvers are not only used by stub resolvers but by DNS > resolvers using DNS forwarding as well. I wonder what happens if DNS > forwarding resolvers do DNSSEC validation? It looks like they would > return SERVFAIL to the user as the RPZ response omits any RRSIG for the > landing page.
I tested this out. BIND returns SERVFAIL to the stub resolver. I also checked out PowerDNS Recursor 4 with RPZ. PowerDNS Recursor 4 returns just the CNAME to the landing page. No A/AAAA record. Thus, the forwarding DNS resolver needs to do an additional lookup of the CNAME hostname which succeeds with RRSIGs returned. So, PowerDNS does not break a DNSSEC signed landing page hostname. I also tested out knot resolver 1.1.1. knot resolver does currently not support CNAME response in RPZ. One has to provide an A/AAAA record if redirection to a landing page is wanted. So, Knot resolver does not suffer from this problem as well. My conclusion is that one should not DNSSEC sign the landing page if you utilize DNS RPZ with BIND. Daniel _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
