Thanks Greg. That is very helpful. Sorry I didn't find that article on my own.
Bob From: Greg Choules <g...@isc.org> Sent: Wednesday, October 16, 2024 10:10 AM To: Robert Mankowski <robert.mankow...@hotmail.com> Cc: bind-users@lists.isc.org Subject: Re: DNSSEC, OpenDNS and www.cdc.gov Hi Bob. See if this article helps any first, before we get into configs: https://kb.isc.org/docs/the-umbrella-feature-in-detail Cheers, Greg On 16 Oct 2024, at 14:55, Robert Mankowski <robert.mankow...@hotmail.com<mailto:robert.mankow...@hotmail.com>> wrote: I recently implemented a forward only BIND server for home. I was forwarding to OpenDNS FamilyShield using TLS and DNSSEC at first, but I was getting a noticeable amount of SERVFAIL responses. I believe it is related to DNSSEC (see delv tests below), but I don't believe it is my configuration because when I forward to Cloudflare's Family service, or to Google DNS, I don't have any problems with the same domains (e.g. www.cdc.gov<http://www.cdc.gov/>). I contacted Cisco Umbrella support because I was thinking it's an issue with their servers, but they didn't really help, so I thought I would try this list for advice. Would appreciate it if someone could review my configuration and/or reproduce my results to see if I'm doing something wrong. Thanks, Bob Here are some tests I ran: admin@router1:~$ apt-cache policy bind9 bind9: Installed: 1:9.21.1-1+0~20240920.124+debian12~1.gbp62e0e7 Candidate: 1:9.21.1-1+0~20240920.124+debian12~1.gbp62e0e7 Version table: *** 1:9.21.1-1+0~20240920.124+debian12~1.gbp62e0e7 500 500 https://packages.sury.org/bind-dev bookworm/main amd64 Packages 100 /var/lib/dpkg/status 1:9.18.28-1~deb12u2 500 500 http://deb.debian.org/debian bookworm/main amd64 Packages 500 http://security.debian.org/debian-security bookworm-security/main amd64 Packages admin@router1:~$ delv -v delv 9.21.1-1+0~20240920.124+debian12~1.gbp62e0e7-Debian admin@router1:~$ delv -4 @208.67.220.123 www.cdc.gov<http://www.cdc.gov/>. A ;; insecurity proof failed resolving 'cdc.gov/DNSKEY/IN':<http://cdc.gov/DNSKEY/IN':> 208.67.220.123#53 ;; broken trust chain resolving 'www.cdc.gov/A/IN':<http://www.cdc.gov/A/IN':> 208.67.220.123#53 ;; resolution failed: broken trust chain admin@router1:~$ delv -4 @208.67.222.123 www.cdc.gov<http://www.cdc.gov/>. A ;; insecurity proof failed resolving 'cdc.gov/DNSKEY/IN':<http://cdc.gov/DNSKEY/IN':> 208.67.222.123#53 ;; broken trust chain resolving 'www.cdc.gov/A/IN':<http://www.cdc.gov/A/IN':> 208.67.222.123#53 ;; resolution failed: broken trust chain admin@router1:~$ delv -4 @1.1.1.3 www.cdc.gov<http://www.cdc.gov/>. A ; fully validated www.cdc.gov<http://www.cdc.gov/>. 248 IN CNAME www.akam.cdc.gov<http://www.akam.cdc.gov/>. www.cdc.gov<http://www.cdc.gov/>. 248 IN RRSIG CNAME 8 3 300 20241019153420 20241009150230 1503 cdc.gov<http://cdc.gov/>. b99UIGmCOTJj+C7JFXORmtUXQEIIGdF0q3Z5u6HfAbKcJhjfFjJrkRE6 yntzr0pSksCp1Uwi146xvKz7ImCqkYK67/WlOujyquOGSfgOwO1DvUyj TfvXJWvjSRLTx30lwU6RV80RrC596A16anTpLc7Zi4VEAVncRHeUl1y1 /MG/CSCtE/Ef6tPD1FtGZjhXszVAgrk3fhISCsImRHuGAoIBnIKCKx2M YMhxirfV0z9Qq46PnW9zTzh+EbVKZkN0C+Xl3j2+4sqyHlubhrtgklG/ g0u+99/g/jdfex+Vh7dtcAXFcTZ1XGuPQXgsn6GrznecB8PaXmCxXfft GaDOdQ== www.akam.cdc.gov<http://www.akam.cdc.gov/>. 20 IN A 23.51.224.222 www.akam.cdc.gov<http://www.akam.cdc.gov/>. 20 IN RRSIG A 10 4 20 20241018102927 20241015092927 16701 akam.cdc.gov<http://akam.cdc.gov/>. Lcd7WthqqU+A7UwQkBHZsT0nqxztJkn9cx57wXr4eHHCvJR0cCxZFkwl eIbSffPIu364terXJlcEvuWbWTLrCX7bo0c6B9bA5EPi2DsbegTfkG5u cqrZP9RTzXbfbs5l5w6CQ9DfSPcYx9BIYkusErQu5qQnGhoQ5bXI1VxT Otc= The relevant portion of my named configuration is: tls opendns-tls { remote-hostname "dns.opendns.com<http://dns.opendns.com/>"; }; tls cloudflare_family-tls { remote-hostname "one.one.one.one"; }; tls google-tls { }; tls router1-tls { key-file "/var/cache/bind/privkey.pem"; cert-file "/var/cache/bind/fullchain.pem"; dhparam-file "/var/cache/bind/dhparam.pem"; ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; prefer-server-ciphers yes; session-tickets no; }; options { directory "/var/cache/bind"; recursion yes; allow-query { trusted_nets; }; version "none"; forwarders { # 1.1.1.3 port 853 tls cloudflare_family-tls; # 1.0.0.3 port 853 tls cloudflare_family-tls; 208.67.222.123 port 853 tls opendns-tls; 208.67.220.123 port 853 tls opendns-tls; # 8.8.8.8 port 853 tls google-tls; # 8.8.4.4 port 853 tls google-tls; }; forward only; allow-transfer { none; }; dnssec-validation auto; listen-on port 443 tls router1-tls http default { trusted_interfaces; }; listen-on port 853 tls router1-tls { trusted_interfaces; }; listen-on { trusted_interfaces; }; listen-on-v6 { none; }; zone-statistics yes ; }; -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org<mailto:bind-users@lists.isc.org> https://lists.isc.org/mailman/listinfo/bind-users
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
