Hi Michael On Wed, Oct 02, 2019 at 02:42:37PM -0400, Michael Casadevall wrote:
Helium is the authoritative name for the li694-22 zone. Boron is the backup server and replicates via AXFR from helium. The li694-22 is not signed in any way. For these tests, I'm accessing the recursive resolvers from another machine, specifically neon, one of our database nodes.
Helium's named options relating to DNSSEC are only set as follows: named.conf.options: dnssec-validation auto;
When requesting hydrogen's AAAA record with DO=1:
mcasadevall@neon:~$ dig @helium.li694-22 hydrogen.li694-22 AAAA +dnssec
; <<>> DiG 9.9.5-3ubuntu0.15-Ubuntu <<>> @helium.li694-22 hydrogen.li694-22 AAAA +dnssec ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58352 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;hydrogen.li694-22. IN AAAA
;; ANSWER SECTION: hydrogen.li694-22. 3600 IN AAAA 2600:3c00::f03c:91ff:fe6e:1ded
;; AUTHORITY SECTION: li694-22. 3600 IN NS helium.li694-22. li694-22. 3600 IN NS boron.li694-22.
;; ADDITIONAL SECTION: boron.li694-22. 3600 IN AAAA 2600:3c00::f03c:91ff:fe6e:c4bf helium.li694-22. 3600 IN AAAA 2600:3c00::f03c:91ff:fe6e:1d88
;; Query time: 0 msec ;; SERVER: 2600:3c00::f03c:91ff:fe6e:1d88#53(2600:3c00::f03c:91ff:fe6e:1d88) ;; WHEN: Wed Oct 02 17:45:52 UTC 2019 ;; MSG SIZE rcvd: 171
I get an AA record, but no signed results. This should be SERVFAIL because there's no chain from root. Notably, running a test against a known bad domain fails as expected:
Isn't "li694-22." a fake domain that only exists on your authoritative server "helium"? And it is unclear if you're also running a fake root zone as in the 1st case you'd described. It's not entirely clear without seeing all the zone's contents and nameserver config. Anyway, here you're querying helium directly for "hydrogen.li694-22./AAAA". helium is an authoritative for "li694-22." as you've noted - authoritative server algorithm does not perform DNSSEC validation (it is resolver algorithm that does). Basically helium is serving the unsigned "li694-22." zone in this case in isolation. It serves no DNSSEC records because none exist, and returns AA=1. The nameserver (one that has both authoritative and resolver functionality) prefers to return authoritative data when it is available over cached data. Mukund