On Sat, Jan 31, 2015 at 04:02:00PM +0100, Wolfgang Rosenauer wrote:
Am 31.01.2015 um 12:29 schrieb Markus Benning:
Am 30.01.2015 um 09:10 schrieb Viktor Dukhovni:
- Your C library may not return the "AD" bit in DNSSEC replies
(OpenBSD seems to have this problem).
This may also be the case if your resolver is also authorative for your domain. Then it wont do recursive validation and will not include the AD flag.
Thanks for that hint. I guess this is exactly the issue. The recursive resolver for the smtp client is actually indeed also the authoritative dns for the target domain. This special case came absolutely unexpected to me though.
Not surprising that it did not occur to you, it is unfortunately not documented.
I've never tested a recursive resolver that is also authoritative for DNSSEC signed domains .
Based on long-standing advice from DJB, that is now considered "best pratice", I always separate the authoritative and recursive DNS servers. On my mail server (which is also the primary nameserver for my domain) I have:
* loopback:53 - Recursive, validating unbound resolver, authoritative only for localhost and loopback addresses:
interface: 127.0.0.1 interface: ::1 do-not-query-address: 127.0.0.0/8 do-not-query-address: ::1 cache-max-ttl: 14400 max-udp-size: 8192 minimal-responses: yes module-config: "validator iterator" auto-trust-anchor-file: "keys/root.key"
local-zone: "localhost." static local-zone: "127.in-addr.arpa." static local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." static domain-insecure: "localhost." domain-insecure: "127.in-addr.arpa." domain-insecure: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." local-data: "localhost. IN A 127.0.0.1" local-data: "localhost. IN AAAA ::1" local-data-ptr: "127.0.0.1 localhost." local-data-ptr: "::1 localhost."
* <public-address>:53 - Authoritative BIND 9.10p1 server, which serves a few domains.
options { ...
# DNSSEC, with 14 day signatures, the secondary expire # time in the SOA should be at most 7 days. Otherwise, # secondaries might in some cases serve already expired # data. # dnssec-enable yes; sig-validity-interval 14;
# Authoritative service only, listen on external v4/v6 # addresses, but not the loopback ("unbound" resolver). # recursion no; listen-on { <public ip range>; }; listen-on-v6 { <public ipv6 range>; }; ... }
The /etc/resolv.conf file lists only 127.0.0.1, so all queries for my own domain go to "unbound", which does the validation, and sets the AD bit the same way as for "remote" domains, since for "unbound" all domains are "remote".