Opened 7 years ago

Closed 6 years ago

#2226 closed defect (fixed)

direct queries for RRSIG

Reported by: jelte Owned by: muks
Priority: high Milestone: bind10-1.2-release-freeze
Component: Unclassified Version:
Keywords: Cc:
CVSS Scoring: Parent Tickets:
Sensitive: no Defect Severity: N/A
Sub-Project: DNS Feature Depending on Ticket:
Estimated Difficulty: 6 Add Hours to Ticket: 0
Total Hours: 0 Internal?: no


Currently, our several datasources respond to direct RRSIG queries differently; the sqlite3-based one returns them, the memory ds returns no data.

AFAIK, there is no full consensus on what to do here:

  • on the one hand, RRSIG should be closely coupled with their corresponding RRsets, so querying for them separately might cause unforeseen problems
  • however, that is really up to the validator, and not the server (for instance it might try to work around caches that strip them unless queried directly)
  • returning nothing is technically an invalid DNSSEC response (since the NODATA response cannot be proven with an NSEC, as the NSEC shows there should be data)
  • and of course it would be good to be consistent.

There was a discussion on namedroppers a while ago:

Implementing the 'correct' return of RRSIGs is not entirely trivial for the memory-backend, but it should not be too hard as long as we don't care to much about efficiency for this case (do we have data on if and how much these queries occur?)

If we decide that these queries should NOT be answered, it is probably better to return something like REFUSED rather than a nodata answer.


Change History (8)

comment:1 Changed 7 years ago by shane

  • Milestone New Tasks deleted

comment:2 Changed 6 years ago by muks

We decided to patch this in b10-auth so that we return rcode=REFUSED for qtype=RRSIG:

  • RRSIG and the covered rrset go together, so we refuse to serve RRSIGs directly.
  • The in-memory datasource currently does not implement it (and iterating over all RRSIGs in our current design will be a time-consuming process).
  • We don't want to implement it in the future, so instead of rcode=NOTIMP, we will return rcode=REFUSED.
  • We will return this early in the b10-auth server code itself, so that this reply is consistent across all data sources.

comment:3 Changed 6 years ago by muks

  • Milestone set to Sprint-20131015
  • Owner set to UnAssigned
  • Status changed from new to reviewing

Up for review.

comment:4 Changed 6 years ago by muks

This requires a ChangeLog entry:

+XYZ.   [func]          muks
+       b10-auth now returns rcode=REFUSED for all questions with
+       qtype=RRSIG (i.e., where RRSIGs are queried directly). This is
+       because RRSIGs are meaningless without being bundled alongside the
+       RRs they cover.
+       (Trac #2226, git ...)

comment:5 Changed 6 years ago by shane

  • Priority changed from medium to high

comment:6 Changed 6 years ago by kean

  • Owner changed from UnAssigned to kean

comment:7 Changed 6 years ago by kean

  • Owner changed from kean to muks

This looks just fine. All tests, both unit and lettuce pass (well there are 2 lettuce failures but they were there before this change too). The new lettuce test passes and looks good. Please merge and close.

comment:8 Changed 6 years ago by muks

  • Resolution set to fixed
  • Status changed from reviewing to closed

Merged to master branch in commit 68d24e65c9c3dfee38adfbe1c93367b0083f9a58:

* 3ebfb01 [2226] Add unittest and lettuce test for qtype=RRSIG query
* 1538645 [2226] Return rcode=REFUSED to serve qtype=RRSIG queries

Resolving as fixed. Thank you for the review.

Note: See TracTickets for help on using tickets.