search

PowerDNS / pdns

PowerDNS Authoritative, PowerDNS Recursor, dnsdist
https://www.powerdns.com/
GNU General Public License v2.0
3.7k stars 908 forks source link

rec: nothing-below-nxdomain=dnssec with NSEC3 opt-out #9901

Open mnordhoff opened 3 years ago

mnordhoff commented 3 years ago

Short description

The nothing-below-nxdomain=dnssec setting does not apply to NXDOMAINs when NSEC3 opt-out is in use.

Unless there are known issues with important authoritative servers, it would be neat if it did.

Usecase

Minimizing queries and information sent to TLDs and other NSEC3 opt-out zones.

Description

The main(?) reason nothing-below-nxdomain=dnssec exists is that many non-DNSSEC authoritative servers don't comply with RFC 8020. With only that consideration in mind, an NXDOMAIN in a secure zone should be equally reliable whether the zone is using NSEC, NSEC3 or NSEC3 opt-out.

The current nothing-below-nxdomain=dnssec implementation simply checks if "ne.d_validationState == vState::Secure"; I assume valid NSEC3 opt-out responses get set to Insecure, with this result.

It would complicate the code, but from a user perspective, I think it would be nice if it did also cover NSEC3 opt-out. This is a total guess, but I'd think queries for expired or misspelled domains in NSEC3 opt-out TLDs would be a medium-sized fraction of NXDOMAINs.

But I understand if it's not worth it. :)

Compare the Recursor-to-authoritative queries produced by "dig foo.nxdomain-nxdomain-nxdomain.com" (NSEC3 opt-out) or "dig foo.nxdomain-nxdomain-nxdomain.dev" (NSEC3).

mnordhoff commented 3 years ago

There's a solid argument that the current design is safer because it limits the damage caused by forged insecure/opt-out NXDOMAINs. In that case, this feature request should be closed, and maybe the docs should be changed to discourage using nothing-below-nxdomain=yes.