Recursor: Add dnssec=process-no-validate option #3905

Merged
merged 3 commits into from May 27, 2016

Projects

None yet

2 participants

@pieterlexis
Member

This option turns the recursor into a "Security-Aware Recursive Name Server" (RFC 4033 §2), meaning it will pass on RRSIGs and NSEC(3)s but will not validate, even when the client requests it. This is similar to e.g. unbound without the validator enabled.

@pieterlexis pieterlexis added the rec label May 26, 2016
@pieterlexis pieterlexis added this to the rec-4-beta1 milestone May 26, 2016
@rgacogne rgacogne and 1 other commented on an outdated diff May 27, 2016
pdns/pdns_recursor.cc
@@ -959,7 +959,7 @@ void startDoResolve(void *p)
}
// Does the query or validation mode sending out a SERVFAIL on validation errors?
- if(!pw.getHeader()->cd && (g_dnssecmode == DNSSECMode::ValidateAll || (dc->d_mdp.d_header.ad && g_dnssecmode != DNSSECMode::Off))) {
+ if(!pw.getHeader()->cd && (g_dnssecmode == DNSSECMode::ValidateAll || (dc->d_mdp.d_header.ad && (g_dnssecmode != DNSSECMode::Off || g_dnssecmode != DNSSECMode::ProcessNoValidate)))) {
@rgacogne
rgacogne May 27, 2016 Member

I think:
(g_dnssecmode != DNSSECMode::Off || g_dnssecmode != DNSSECMode::ProcessNoValidate)
should be:
(g_dnssecmode != DNSSECMode::Off && g_dnssecmode != DNSSECMode::ProcessNoValidate)

I guess it doesn't break because the condition on line 934 prevents us from getting here if g_dnssecmode is Off or ProcessNoValidate.

@pieterlexis
pieterlexis May 27, 2016 Member

I think we can drop the whole && (g_dnssecmode != DNSSECMode::Off || g_dnssecmode != DNSSECMode::ProcessNoValidate) as indeed the earlier condition prevents this

@rgacogne
Member

Except for the previous comment, LGTM!

pieterlexis added some commits May 26, 2016
@pieterlexis pieterlexis Recursor: Add process-no-validate option
Make it also the default. This turns the recursor into a
"Security-Aware Recursive Name Server" (RFC 4033 §2), meaning it will
pass on RRSIGs and NSEC(3)s but will not validate.
a641514
@pieterlexis pieterlexis pdns_recursor.cc: some whitespace fixes ea9ddf8
@pieterlexis pieterlexis Add test for dnssec=process-no-validate d8319ad
@pieterlexis pieterlexis merged commit 5f1e5a9 into PowerDNS:master May 27, 2016

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
@pieterlexis pieterlexis deleted the pieterlexis:dnssec-process-no-validate branch May 27, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment