Infoblox Exchange Cybersecurity Roadshow 2020 – Join us!
North America | Europe | Middle East/Africa | Asia-Pacific

DNS DHCP IPAM

Reply

DNSSEC validation

RPedada
Techie
Posts: 6
3525     0

We have authortiattive dns and forwarder dns in our envinronment. We are tying to enable DNSSEC validation.

 

I have enabled DNSSEC validation on the forwarder DNS and imported root Trust Anchor.

 

Our authoritative DNS forwards all internet queries to the forwarder DNS. 

 

Do we have to enable DNSSEC valiadation on the authoritatve DNS as well? 

 

Thanks

Re: DNSSEC validation

AMani Community Manager
Community Manager
Posts: 39
3526     0

Hello,

 

Since you've already enabled validation in the forwarder DNS server, there is no need to enable validation in the autoritative server.

Moreover, enabling multi-level validation may result undesirable effect.


Regards,

Re: DNSSEC validation

RPedada
Techie
Posts: 6
3526     0

Hi,

 

Thanks for your response. I tested the following scenario and here are the results.

 

. Imported wrong root trust anchor key on my forwarder DNS server. Intenral authoritative DNS server still get name resolution. They dont get a SERVFAIL response for internet queries.

. Imported wrong root trust anchor key on  my forwarder DNS server and enabled DNSSEC validation on my authoritative DNS severs, then the resolution fails for all internet domains with "SERVFAIL"

 

Looks like my authoritative DNS does not really validate responses unless I enable dnssec validaiton on it. 

Any thoughts ?

 

Thanks

 

Re: DNSSEC validation

AMani Community Manager
Community Manager
Posts: 39
3526     0

 

 

Hi,

 

Apologies for the delay in responding to your last query.


Below may be the possible reason for the scenarios mentioned:

 

. Imported wrong root trust anchor key on my forwarder DNS server. Intenral authoritative DNS server still get name resolution. They dont get a SERVFAIL response for internet queries.

 

>>>> Since you had explicitly disabled validation, the internal server would have sent the query to the forwarder with flag "dns.flags.checkdisable == 1". This means that "Non-authenticated data is acceptable". If the forwarder gets a query with CD Flag(dns.flags.checkdisable) as 1, it will not perform any validation and will follow the regular DNS resolution.

 

 This is mentioned in RFC 4035. Below is a snippet from the RFC

 

DNSSEC-RFC4035.JPG

 

 

 

 

. Imported wrong root trust anchor key on my forwarder DNS server and enabled DNSSEC validation on my authoritative DNS severs, then the resolution fails for all internet domains with "SERVFAIL"

 

 

>>>> The internal server would have sent the query to the forwarder with flag "dns.flags.checkdisable == 0". This means that "Non-authenticated data is Not Acceptable". Hence you are getting "SERVFAIL" message.

 

 

Note: As per the Infoblox DNSSEC Whitepaper you only need to enable DNSSEC on the forwarder server.

 

DNSSEC-Whitepaper-Infoblox.JPG

 

 

You may want to refer the following documents for more details:

 

RFC 4033 --> RFC 4033

RFC 4035 --> RFC 4035

Infoblox DNSSEC whitepaper --> DNSSEC Best Practice

 

You may also open a support ticket to troubleshoot why the Internal server sent the CD bit as 1 while forwarding the query to the External facing forwarder.

 

Regards,

Showing results for 
Search instead for 
Do you mean 

Recommended for You