New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support Validating DNSSEC for Signed Domains #1708
Comments
I think this is accurate and represents a bit of a deficiency in the current implementation. I think to properly encode this, we will need |
I'm looking at supporting DANE in an MTA and this feels like it would be key to implementing it securely. How much effort would it be to implement the changes proposed in this issue? I'm open to sitting down to do this work, with the big caveat that I am not a DNSSEC guy and don't know this codebase. Is this "just" a matter of refactoring to expose the right bits in the right places? I'm the point where I need to consider whether I should find another resolver implementation; I'm not enthusiastic about doing that! Are there alternative ways I could work around this? |
From reading @bluejekyll's suggestions I would guess that it is indeed "just" a matter of propagating the validation context up through the call stack. The deviation between request and response messages sounds potentially hairy, so I'd maybe start there? |
Ok, here's the thing I'm wondering. We have this type: I don't know if this is a good idea or not. Obvious downsides would be that we would consume more memory for each Record, including cache. Maybe we could instead of storing the entire chain we could just store the proof result, i.e.
This is a lot of work, and it would be nice to try and limit the breaking changes, so try to keep the changes to interior types and/or add new methods where necessary. I'm not sure if this the "correct" thing, and there are definitely downsides on memory consumption. Thoughts? |
From the consuming application perspective, the goal is to be able to reason about the signature status.
It also provides a I don't know if it is necessary to retain the full chain of information internally to be able to report the equivalent information in the trust resolver results. If a component of the chain is In #1650 there is discussion around propagating the AD bit through to the result; to my I-am-not-a-DNS-expert eyes, that sounds like the From the public API, I think what I'm looking for is:
|
One of the things I've been struggling with around DNSSEC is that there isn't a perfect guide to what should happen. In so many cases As to the First to your points, I agree that for your use case (and probably in general) capturing the key chains isn't necessary. But I do think we need to track each verified record in the response properly. The four states we have (which to me implies an enum as part of the return, maybe
In terms of failure with an What do you think? |
The more I think about DNS results, the more I think that there is a lot more nuance than I've spent some time wrapping up unbound to play around with this stuff recently; at first I was like "ugh, look at all these discrete bits of information!", but after sitting with it for a bit, I do think that having those available makes sense, and I might even go a little further with the trust result: having NoRecordsFound be an err variant was a little surprising to me; in the unbound API they have a result type that has the list of records (if any), and the rcode holds the status information. That also allows for the no-records-but-not-nxdomain case to be reported as signed. Is an nxdomain rcode something that could also be signed as well? So in short, yes, I would be totally happy for bogosity to not be automatically treated as an error. I think having an enum with 4 values to reflect the security status makes sense. I would lean towards
|
I like |
Perhaps not the best logic, but I ended up doing that as I needed a way to fail the request to make the async tasks failover cleanly between each other. I think it's debatable if that's an error or not. IMO, we failed to retrieve any records for the request, so it can be interpreted as an error.
Yes, though it's not actually an NXDOMAIN at that point. It's an NSEC record that shows that there are no records at that name. In DNSSEC I don't believe NXDOMAIN is ever a valid response, in that you should always get some proof that the name does not exist for any record type. (Well, actually NXDOMAIN might be an ok response for I like the name suggestions. So I think the new type we're discussing is this, I put in the record idea for the pub enum DnssecStatus {
/// Domain is signed and passed validation
Signed,
/// Domain is known to be unsigned and parent zone proves this
Unsigned,
/// Domain should be signed and either DNSKEYs were not available or verification failed
FailedValidation{record_failed_validation: Option<(Name, RecordType)>},
/// DNSSEC was not requested, therefor is unknown
Unknown,
} I'm still not sure how we should track this in the |
I would lean away from a parallel list, as that pattern can end up feeling awkward and more complex in the long run, even if perhaps it might be simpler to integrate now. |
Sounds good. We'll see how messy it gets :) Are you comfortable exploring this change? Are there any other points you want to discuss? I think this is going to end up changing |
BTW, I found https://datatracker.ietf.org/doc/html/rfc4035#section-4.3 to say:
So maybe we could just reuse these names. |
Thanks for digging that up. We could even just cut and paste those descriptions into the rust-doc comments for the types. Thanks, @djc for digging that up. Also, note, we currently don't properly detect Indeterminate is an interesting case, basically it could be either, the resolver wasn't asked for DNSSEC records, or the upstream DNS server isn't able to send them back due to being old or misconfigured. |
btw, I'm going to take a stab at implementing this as I think it will unblock some other work and it might touch enough interfaces that it's worth having a discussion now. |
Right now it appears that trust-dns has two options surrounding DNSSEC.
What I would like to propose is:
This provides security for domains that support DNSSEC while not breaking the web for the domains that don't.
The text was updated successfully, but these errors were encountered: