diff mbox series

[v2] test if nameservers with DNSSEC support return "ad"-flagged data

Message ID 20180304182652.067d606e.peter.mueller@link38.eu
State Accepted
Commit 438da7e0a012cb979e77efcb923ab86b9078fb57
Headers
Series [v2] test if nameservers with DNSSEC support return "ad"-flagged data |

Commit Message

Peter Müller March 5, 2018, 4:26 a.m. UTC 
  DNSSEC-validating nameservers return an "ad" (Authenticated Data)
flag in the DNS response header. This can be used as a negative
indicator for DNSSEC validation: In case a nameserver does not
return the flag, but failes to look up a domain with an invalid
signature, it does not support DNSSEC validation.

This makes it easier to detect nameservers which do not fully
comply to the RFCs or try to tamper DNS queries.

See bug #11595 (https://bugzilla.ipfire.org/show_bug.cgi?id=11595) for further details.

The second version of this patch avoids unnecessary usage of
grep. Thanks to Michael Tremer for the hint.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
---
 src/initscripts/system/unbound | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

Comments

Michael Tremer March 6, 2018, 2:22 a.m. UTC | #1 
Hi,

okay. Merged.

-Michael

On Sun, 2018-03-04 at 18:26 +0100, Peter Müller wrote:
> DNSSEC-validating nameservers return an "ad" (Authenticated Data)
> flag in the DNS response header. This can be used as a negative
> indicator for DNSSEC validation: In case a nameserver does not
> return the flag, but failes to look up a domain with an invalid
> signature, it does not support DNSSEC validation.
> 
> This makes it easier to detect nameservers which do not fully
> comply to the RFCs or try to tamper DNS queries.
> 
> See bug #11595 (https://bugzilla.ipfire.org/show_bug.cgi?id=11595) for further
> details.
> 
> The second version of this patch avoids unnecessary usage of
> grep. Thanks to Michael Tremer for the hint.
> 
> Signed-off-by: Peter Müller <peter.mueller@link38.eu>
> ---
>  src/initscripts/system/unbound | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
> 
> diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound
> index a46999992..dcb9653ee 100644
> --- a/src/initscripts/system/unbound
> +++ b/src/initscripts/system/unbound
> @@ -378,7 +378,12 @@ ns_is_validating() {
>  	local ns=${1}
>  	shift
>  
> -	dig @${ns} A ${TEST_DOMAIN_FAIL} $@ | grep -q SERVFAIL
> +	if ! dig @${ns} A ${TEST_DOMAIN_FAIL} $@ | grep -q SERVFAIL; then
> +		return 1
> +	else
> +		# Determine if NS replies with "ad" data flag if DNSSEC
> enabled
> +		dig @${ns} +dnssec SOA ${TEST_DOMAIN} $@ | awk -F: '/\;\;\
> flags\:/ { s=1; if (/\ ad/) s=0; exit s }'
> +	fi
>  }
>  
>  # Checks if we can retrieve the DNSKEY for this domain.
diff mbox series

Patch

diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound
index a46999992..dcb9653ee 100644
--- a/src/initscripts/system/unbound
+++ b/src/initscripts/system/unbound
@@ -378,7 +378,12 @@  ns_is_validating() {
 	local ns=${1}
 	shift
 
-	dig @${ns} A ${TEST_DOMAIN_FAIL} $@ | grep -q SERVFAIL
+	if ! dig @${ns} A ${TEST_DOMAIN_FAIL} $@ | grep -q SERVFAIL; then
+		return 1
+	else
+		# Determine if NS replies with "ad" data flag if DNSSEC enabled
+		dig @${ns} +dnssec SOA ${TEST_DOMAIN} $@ | awk -F: '/\;\;\ flags\:/ { s=1; if (/\ ad/) s=0; exit s }'
+	fi
 }
 
 # Checks if we can retrieve the DNSKEY for this domain.