CoreDNS cache violates rfc6840

[micw]

Some users of https://github.com/Mailu/Mailu reported that DNSSec is not working properly with CoreDNS. We figured out that it is caused by a change to CoreDNS introduced with #4736 that violates rfc6840.

For Details, please see comment in #4736 (comment) and discussion in Mailu/Mailu#2239 (comment)

[chrisohaver]

This is in breach of https://datatracker.ietf.org/doc/html/rfc6840#section-5.8 ... which makes perfectly clear that DO or AD in the query should be treated the same (and the AD flag preserved).

That isn't perfectly clear to me. Can you explain in more detail what is being violated?

/label needs info

[chrisohaver]

@micw, I think perhaps you intended to link to https://datatracker.ietf.org/doc/html/rfc6840#section-5.7? Or at least the 5.8 section makes more sense in the context of 5.7.

Essentially, a requester is permitted to indicate that it understands the AD bit without also requesting DNSSEC data via the DO bit. And therefore a response SHOULD retain the AD original response's AD bit, regardless of the state of the DO bit in the request.

In which case the origin of the behavior in question is #4085. #4736 simply aligns the cache miss behavior to the cache hit behavior established in #4085. IMO, it doesn't make sense for cache hit and miss behavior to differ here.

[outbackdingo]

dont know why this is closed, i just deployed # Version of mailu docker images to use when not specified otherwise
mailuVersion: 1.9.26

on kubernetes 1.21.3

Client Version: version.Info{Major:"1", Minor:"24", GitVersion:"v1.24.1", GitCommit:"3ddd0f45aa91e2f30c70734b175631bec5b5825a", GitTreeState:"archive", BuildDate:"2022-06-18T00:00:00Z", GoVersion:"go1.18.3", Compiler:"gc", Platform:"linux/amd64"}
Kustomize Version: v4.5.4
Server Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.3", GitCommit:"ca643a4d1f7bfe34773c74f79527be4afd95bf39", GitTreeState:"clean", BuildDate:"2021-07-15T20:59:07Z", GoVersion:"go1.16.6", Compiler:"gc", Platform:"linux/amd64"}
WARNING: version difference between client (1.24) and server (1.21) exceeds the supported minor version skew of +/-1

and im still getting this error
CRITICAL:root:Your DNS resolver at 10.96.0.10 isn't doing DNSSEC validation; Please see https://mailu.io/master/faq.html#the-admin-container-won-t-start-and-its-log-says-critical-your-dns-resolver-isn-t-doing-dnssec-validation.
CRITICAL:root:Your DNS resolver at 10.96.0.10 isn't doing DNSSEC validation; Please see https://mailu.io/master/faq.html#the-admin-container-won-t-start-and-its-log-says-critical-your-dns-resolver-isn-t-doing-dnssec-validation.
CRITICAL:root:Your DNS resolver at 10.96.0.10 isn't doing DNSSEC validation; Please see https://mailu.io/master/faq.html#the-admin-container-won-t-start-and-its-log-says-critical-your-dns-resolver-isn-t-doing-dnssec-validation.

so how can i fix this and move forward with migrating email services

[chrisohaver]

dont know why this is closed

It was closed because the reported issue ("CoreDNS cache violates rfc6840") was fixed and merged.

[outbackdingo]

yupp i see what happened mailu, which i deployed still has the issue, it was linked to your bug as fixed... i was like but its not, then now i see the bug is mailu now coredns.