DNSSEC-validating nameservers return an "ad" (Authenticated Data) flag in the DNS response header. This can be used as a negative indicator for DNSSEC validation: In case a nameserver does not return the flag, but failes to look up a domain with an invalid signature, it does not support DNSSEC validation.
This makes it easier to detect nameservers which do not fully comply to the RFCs or try to tamper DNS queries.
See bug #11595 (https://bugzilla.ipfire.org/show_bug.cgi?id=11595) for further details.
The second version of this patch avoids unnecessary usage of grep. Thanks to Michael Tremer for the hint.
Signed-off-by: Peter Müller peter.mueller@link38.eu --- src/initscripts/system/unbound | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound index a46999992..dcb9653ee 100644 --- a/src/initscripts/system/unbound +++ b/src/initscripts/system/unbound @@ -378,7 +378,12 @@ ns_is_validating() { local ns=${1} shift
- dig @${ns} A ${TEST_DOMAIN_FAIL} $@ | grep -q SERVFAIL + if ! dig @${ns} A ${TEST_DOMAIN_FAIL} $@ | grep -q SERVFAIL; then + return 1 + else + # Determine if NS replies with "ad" data flag if DNSSEC enabled + dig @${ns} +dnssec SOA ${TEST_DOMAIN} $@ | awk -F: '/;;\ flags:/ { s=1; if (/\ ad/) s=0; exit s }' + fi }
# Checks if we can retrieve the DNSKEY for this domain.
Hi,
okay. Merged.
-Michael
On Sun, 2018-03-04 at 18:26 +0100, Peter Müller wrote:
DNSSEC-validating nameservers return an "ad" (Authenticated Data) flag in the DNS response header. This can be used as a negative indicator for DNSSEC validation: In case a nameserver does not return the flag, but failes to look up a domain with an invalid signature, it does not support DNSSEC validation.
This makes it easier to detect nameservers which do not fully comply to the RFCs or try to tamper DNS queries.
See bug #11595 (https://bugzilla.ipfire.org/show_bug.cgi?id=11595) for further details.
The second version of this patch avoids unnecessary usage of grep. Thanks to Michael Tremer for the hint.
Signed-off-by: Peter Müller peter.mueller@link38.eu
src/initscripts/system/unbound | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound index a46999992..dcb9653ee 100644 --- a/src/initscripts/system/unbound +++ b/src/initscripts/system/unbound @@ -378,7 +378,12 @@ ns_is_validating() { local ns=${1} shift
- dig @${ns} A ${TEST_DOMAIN_FAIL} $@ | grep -q SERVFAIL
- if ! dig @${ns} A ${TEST_DOMAIN_FAIL} $@ | grep -q SERVFAIL; then
return 1- else
# Determine if NS replies with "ad" data flag if DNSSECenabled
dig @${ns} +dnssec SOA ${TEST_DOMAIN} $@ | awk -F: '/\;\;\flags:/ { s=1; if (/\ ad/) s=0; exit s }'
- fi
}
# Checks if we can retrieve the DNSKEY for this domain.
-
Michael Tremer -
Peter Müller