Skip to content

Return SERVFAIL when dnssec fails to validate #35

New issue
New issue
Open
#36
Open
Return SERVFAIL when dnssec fails to validate#35
#36
@rithvikvibhu

Description

@rithvikvibhu
rithvikvibhu
opened on May 16, 2022

All popular resolvers (1.1.1.1, 8.8.8.8, etc.) do not return records if DNSSEC verification fails. But bns returns records with the ad flag (correctly) unset.

other resolvers:

❯ dig @8.8.8.8 dnssec-failed.org

; <<>> DiG 9.18.1 <<>> @8.8.8.8 dnssec-failed.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 31099
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;dnssec-failed.org.             IN      A

;; Query time: 840 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Mon May 16 15:47:44 IST 2022
;; MSG SIZE  rcvd: 46

What bns does:

❯ dig @127.0.0.1 -p 5350 dnssec-failed.org

; <<>> DiG 9.18.1 <<>> @127.0.0.1 -p 5350 dnssec-failed.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14474
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: f166791f3edc3b37 (echoed)
;; QUESTION SECTION:
;dnssec-failed.org.             IN      A

;; ANSWER SECTION:
dnssec-failed.org.      300     IN      A       96.99.227.255

;; Query time: 3900 msec
;; SERVER: 127.0.0.1#5350(127.0.0.1) (UDP)
;; WHEN: Mon May 16 15:53:34 IST 2022
;; MSG SIZE  rcvd: 74

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions