Re: DNSSEC and forwarding
On Apr 13, 2022, at 10:08 AM, Nicholas Miller
wrote:
>
> I believe this is the option you are looking for:
>
> validate-except { domain.example; };
Thanks but that doesn't fix our problem. We use it to fix the
problematic domains for now but that is a temporary solution. There
is always another domain that crops up and will need to be exempted.
The option I was looking for, which doesn't seem to exist is turning
off named setting the check disable flag when forwarding to another
system. With that ability, we could have moved DNSSEC validation
to the cache systems.
--
Dave
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC and forwarding
> On Apr 13, 2022, at 12:00 AM, Grant Taylor via bind-users > wrote: > > This Message Is From an External Sender > This message came from outside your organization. > On 4/12/22 7:18 PM, Duchscher, Dave J via bind-users wrote: > > We are dropping this configuration and looking at doing something else. > > I'm sorry to hear that. > > > We have had intermittent issues with Slack, Microsoft, and a growing > > list of domains. Even have one that consistently fails. > > Are you able to share any specific details / examples so that others can > see an example of what to loo out for? Sure. Just to clear, the setup looks like this: Internal DNS --> DMZ DNS Cache -> World Internal DNS is forward only. Only internal DNS allowed on the DNS cache systems. DNSSEC validation can be enabled or disabled on the cache systems since named always sets the check disabled flag when forwarding. This also means that you can't forward to an upstream DNS system and have it do the DNSSEC validation. Wish there was a way to turn this off or if it would only set the check disabled flag when DNSSEC validation is enabled. Failures mode is that everything looks to work and then a domain will stop resolving. Sometimes we get timeouts, sometimes SERVFAIL, and other times NXDOMAIN. On a test setup with fresh restart, these domains always fail. cybr.club am-explorer.com simutext.com simutext2.com These domains fail randomly and we have not been able to produce the failure. a.slack-edge.com portal.azure.com rex-sftp.bncollege.com There is also our teams and sharepoint domains but rather not put them here. I hope this helps. Needless to say, it has been a frustration situation. -- Dave -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC and forwarding
On Mar 30, 2022, at 4:43 PM, Tony Finch wrote: > > > We have an internal DNS server that we would like to forward its > > outgoing queries to a main DNS server that connects to the outside world > > and is doing DNSSEC validation. The problem is that the DNSSEC > > validation doesn't work for queries from the internal DNS server. > > Doing DNSSEC validation on the internal DNS server that is forwarding to > > the main DNS server has been problematic with some domain failing > > intermittently and others just not working at all. Is there a way to > > allow the main DNS server handle DNSSEC validation? > > In this situation, with multiple tiers of caches, if you want DNSSEC > validation, you should turn it on everywhere you can. > > It sounds to me like your outer server has somehow got data in its cache > that can't be validated by the inner server (though I'm not entirely sure > how that might happen). If they both validate then I would expect the > problems to go away. We are dropping this configuration and looking at doing something else. It has come very clear after much testing with different DNS services, unbound, and named that forwarding with named with DNSSEC validation turned on to another named server has problems with the DNS data out in the world. For us, this shows up with cloud based services that play fast and loose with the DNS specifications. We have had intermittent issues with Slack, Microsoft, and a growing list of domains. Even have one that consistently fails. I am just posting this as a caution to others that you may have problems with DNSSEC validation in this configuration. -- Dave -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNSSEC and forwarding
We have an internal DNS server that we would like to forward its outgoing
queries to a main DNS server that connects to the outside world and is doing
DNSSEC validation. The problem is that the DNSSEC validation doesn't work for
queries from the internal DNS server. Doing DNSSEC validation on the internal
DNS server that is forwarding to the main DNS server has been problematic with
some domain failing intermittently and others just not working at all. Is there
a way to allow the main DNS server handle DNSSEC validation?
Here is my test setup on my laptop:
First named config running on port 1:
logging {
category default {
_default_log;
};
channel _default_log {
file "/var/log/named/named-1.log" versions 10 size 1m;
severity info;
print-time yes;
};
};
options {
directory "/var/named-1";
listen-on port 1 { any; };
allow-query { any; };
allow-recursion { any; };
allow-query-cache { any; };
dnssec-validation no;
forwarders {
127.0.0.1 port 11000;
};
forward only;
};
Second named config running on port 11000:
logging {
category default {
_default_log;
};
channel _default_log {
file "/var/log/named/named-2.log" versions 10 size 1m;
severity info;
print-time yes;
};
};
options {
directory "/var/named-2";
listen-on port 11000 { any; };
allow-query { any; };
allow-recursion { any; };
allow-query-cache { any; };
dnssec-validation auto;
};
--
Dave
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
