Hi,
I just switched to PowerDNS Recursor on my Postfix mailserver since their latest version (4) now supports DNSSEC validation.
Unfortunately now Postfix seems to be unable to verify DANE anymore. I always get only "Anonymous TLS connections" where I got "Verified" ones when using bind.
Apparently and somewhat confirmed by tcpdump and the PowerDNS guys it seems that Postfix relies on the +AD flag to signal a DNSSEC validated response but doesn't request it. I can only find a set DO bit in the query's dump.
I'm running Postfix 3.1.1 fwiw.
Any idea?
Thanks, Wolfgang
On Mon, Jul 11, 2016 at 10:16:47PM +0200, Wolfgang Rosenauer wrote:
Apparently and somewhat confirmed by tcpdump and the PowerDNS guys it seems that Postfix relies on the +AD flag to signal a DNSSEC validated response but doesn't request it. I can only find a set DO bit in the query's dump.
Requesting "DO" is expected to subsume "AD". It does with BIND and "unbound". The libresolv API does not provide a mechanism to turn on the "AD" bit in requests made via res_search(3).
The only relevant resolver flag RES_USE_DNSSEC turns on "DO", not "AD".
You should probably use "unbound" or BIND as your validating resolver, PowerDNS is only compelling as an authoritative server.
Wolfgang Rosenauer wrote:
I just switched to PowerDNS Recursor on my Postfix mailserver since their latest version (4) now supports DNSSEC validation.
Unfortunately now Postfix seems to be unable to verify DANE anymore. I always get only "Anonymous TLS connections" where I got "Verified" ones when using bind.
Apparently and somewhat confirmed by tcpdump and the PowerDNS guys it seems that Postfix relies on the +AD flag to signal a DNSSEC validated response but doesn't request it. I can only find a set DO bit in the query's dump.
Sorry for maybe asking the obvious: Did you turn on DNSSEC validation in your recursor.conf?
dnssec=validate
Ciao, Michael.
Michael Ströder wrote:
Wolfgang Rosenauer wrote:
I just switched to PowerDNS Recursor on my Postfix mailserver since their latest version (4) now supports DNSSEC validation.
Unfortunately now Postfix seems to be unable to verify DANE anymore. I always get only "Anonymous TLS connections" where I got "Verified" ones when using bind.
Apparently and somewhat confirmed by tcpdump and the PowerDNS guys it seems that Postfix relies on the +AD flag to signal a DNSSEC validated response but doesn't request it. I can only find a set DO bit in the query's dump.
Sorry for maybe asking the obvious: Did you turn on DNSSEC validation in your recursor.conf?
dnssec=validate
See also:
https://doc.powerdns.com/md/recursor/settings/#dnssec
Ciao, Michael.
Hi Wolfgang,
On 11/07/2016 22:16 PM, Wolfgang Rosenauer wrote:
Hi,
I just switched to PowerDNS Recursor on my Postfix mailserver since their latest version (4) now supports DNSSEC validation.
Unfortunately now Postfix seems to be unable to verify DANE anymore. I always get only "Anonymous TLS connections" where I got "Verified" ones when using bind.
Apparently and somewhat confirmed by tcpdump and the PowerDNS guys it seems that Postfix relies on the +AD flag to signal a DNSSEC validated response but doesn't request it. I can only find a set DO bit in the query's dump.
I'm running Postfix 3.1.1 fwiw.
Any idea?
Thanks, Wolfgang
setting the AD-Bit without DO-Bit in a DNS query is a rather new addition to DNSSEC (Feb 2013 -- https://tools.ietf.org/html/rfc6840#page-10 ).
It is used when a client just wants the AD-Bit in the response, without the DNSSEC records. Only quite new DNS resolver support this.
The original DNSSEC standard RFC 4033-4035 as implemented in BIND 9, Unbound, MS DNS and other DNS resovlers, when a stub-resolver asks with the DO-Bit set, it will validate the data and return the DNSSEC-records plus the AD-Bit set in case all data validates.
If PowerDNS recursor does not set the AD-Bit on a query with DO-Bit set, it looks like the DNSSEC protocol is not implemented in a compatible way to existing software.
-- Carsten
Hello,
apologies if I am breaking the thread - I imported from the Mailman archive and thus have no message IDs. I am taking this opportunity to reply to two emails at once :)
On 11 Jul 2016, at 22:38, ietf-dane at dukhovni.org wrote:
Requesting "DO" is expected to subsume "AD". It does with BIND and "unbound". The libresolv API does not provide a mechanism to turn on the "AD" bit in requests made via res_search(3).
I have requested an enhancement for this at https://sourceware.org/bugzilla/show_bug.cgi?id=20358
The only relevant resolver flag RES_USE_DNSSEC turns on "DO", not "AD".
I can see how that happened pre-RFC6840 but today this is an annoying limitation. I have the impression Postfix has a private ‘clone’ of res_*, so maybe Postfix could change to +AD? It would seriously reduce DNS response sizes for your TLSA queries.
On 11 Jul 2016, at 23:12, cs at sys4.de wrote:
setting the AD-Bit without DO-Bit in a DNS query is a rather new addition to DNSSEC (Feb 2013 -- https://tools.ietf.org/html/rfc6840#page-10 ).
It is used when a client just wants the AD-Bit in the response, without the DNSSEC records. Only quite new DNS resolver support this.
In DNSSEC, there are only new resolvers. DNSSEC is too new to be running an old resolver.
The original DNSSEC standard RFC 4033-4035 as implemented in BIND 9, Unbound, MS DNS and other DNS resovlers, when a stub-resolver asks with the DO-Bit set, it will validate the data and return the DNSSEC-records plus the AD-Bit set in case all data validates.
Neither 4035 or 6840 are clear enough on this. But indeed all other implementations, including Google DNS, do validation + AD if DO is in the query.
If PowerDNS recursor does not set the AD-Bit on a query with DO-Bit set, it looks like the DNSSEC protocol is not implemented in a compatible way to existing software.
We did not expect anybody to rely on ‘DO implies AD’, as we didn’t think that usage made any sense. In light of the glibc limitation however, we are going to accommodate ‘older’ clients, tracked at https://github.com/PowerDNS/pdns/issues/4159
Kind regards,
participants (5)
-
Carsten Strotmann (sys4)
-
Michael Ströder
-
Peter van Dijk
-
Viktor Dukhovni
-
Wolfgang Rosenauer