Re: Reachability of DNS root servers for zone transfers

["Peter Müller" <peter.mueller@link38.eu>]

[-- Attachment #1: Type: text/plain, Size: 3644 bytes --]

Hello Michael,

> Hi,
> [...]
>>
>> (a) If DNS servers are set an known to work, they are used to
>> fetch mentioned DNS root zones. In case of failures, Unbound
>> falls back to current behaviour. As DNS resolvers usually do not
>> allow zone transfers, I expect this to fail in most cases.
> 
> The fallback is essential. This cannot render DNS unusable.
True. However, Unbound falls back to simply querying the upstream
DNS servers if zone transfer failed. I do not expect any setup to
break if AXFR is not allowed.
> 
>> (b) In case no DNSSEC-validating or -aware resolvers are available,
>> Unbound falls back into recursor mode, assuming reachability of
>> at least one of these servers. In this case, fetching the zones
>> is easy.
> 
> In hindsight, this was a bad design decision. We assumed here that this will
> always work and that is not true. However, the amount of users is still
> relatively small.
True, but I do not see any usable alternative. We could simply stop
resolving DNS entries, but this is probably even worse.
> 
>> (c) In case of permissive operation (no DNSSEC available), root
>> zones are not fetched.
> 
> Why?
Because we cannot validate them. I consider querying upstream name
servers better than having a ton of probably faked DNS zone data
around.
> 
>> It turned out Unbound bumps into validation errors sometime, which
>> needs some further investigation.
Things work fine so far, except for a really nasty bug: After rebooting
a machine with local root zone mirroring enabled, Unbound falls back
to DNSSEC permissive mode for an unknown reason.

After restarting the daemon manually, everything is fine again. :-\
>>
>> Can/should we always assume DNS root servers are reachable?
>> Any opinions on this?
> 
> Not always, but for the vast majority of users, they should be available.
I suspect this depends on
(a) how many users are located behind some moron ISP which breaks DNSSEC.
(b) how many users restrict outgoing DNS traffic to the two nameservers
they configured (I do so) - since information leaks and bypassing DNSSEC
validation is a threat, I consider this restriction as being useful.

Further, creating firewall groups with _all_ of the root servers IPv4
addresses is error-prone and time-consuming.
(c) how many users are located behind upstream DNS servers which do not
allow AXFR.
> 
> If not, what are the downsides? Also what are the upsides of this?
As far as I am concerned, there is no downside: In case mirroring the
root zones fails, anything (should) just behave as usual.

The upsides of this feature are as follows:
(a) less load on the DNS root servers
(b) faster replies to DNS queries for an invalid TLD (some poorly written
software is doing so)
(c) no disclosure to upstream servers which TLD is queried (paranoia, but hey)
(d) less queries to upstream servers for TLD nameservers

Besides some very minor privacy benefit, this aims to reduce load
and DNS queries. Needless to say, if a TLDs nameserver is already cached
by an upstream nameserver, no information is disclosed to the root servers.
> 
>> [...]
>> P.P.S.: See 
>> https://unbound.nlnetlabs.nl/pipermail/unbound-users/2018-May/005268.html
>> for upstream mailinglist thread.
> 
> Just for the fun of it, I have added all zones to
> ns{1,2,3}.lightningwirelabs.com and allow AXFR for everyone.
Cool, thank you. Let's hope some more resolvers will implement this.
> 
> -Michael
> 

Thanks, and best regards,
Peter Müller
-- 
Microsoft DNS service terminates abnormally when it recieves a response
to a DNS query that was never made.  Fix Information: Run your DNS
service on a different platform.
		-- bugtraq