Why is the DNSSEC RRSIG data always returned with a query?

[Taomyn]

I'm trying to use Technitium DNS Server to query the DoH server (Docker version from https://github.com/satishweb/docker-doh) but it gets messed up because it always received the RRSIG of the DNS record. They tell me that currently Technitium DNS does not support DNSSEC, yet, it will soon but that normally the upstream DNS should not be sending the RRSIG unless requested anyway.

I've tested manual requests to public DoH servers using curl and unless I add the "do=1" parameter to the query, none of them return the RRSIG. I even tried setting "do=0" in the query yet I still get the RRSIG

These are a couple of many I have tried:

curl -H 'accept: application/dns-json' 'https://cloudflare-dns.com/dns-query?name=www.mitel.com'
{"Status":0,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":[{"name":"www.mitel.com","type":1}],"Answer":[{"name":"www.mitel.com","type":5,"TTL":3439,"data":"www.mitel.com.cdn.cloudflare.net."},{"name":"www.mitel.com.cdn.cloudflare.net","type":1,"TTL":139,"data":"104.18.21.112"},{"name":"www.mitel.com.cdn.cloudflare.net","type":1,"TTL":139,"data":"104.18.20.112"}]}

curl -H 'accept: application/dns-json' 'https://cloudflare-dns.com/dns-query?name=www.mitel.com&do=1'
{"Status":0,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":[{"name":"www.mitel.com","type":1}],"Answer":[{"name":"www.mitel.com","type":5,"TTL":3600,"data":"www.mitel.com.cdn.cloudflare.net."},{"name":"www.mitel.com.cdn.cloudflare.net","type":1,"TTL":300,"data":"104.18.20.112"},{"name":"www.mitel.com.cdn.cloudflare.net","type":1,"TTL":300,"data":"104.18.21.112"},{"name":"www.mitel.com.cdn.cloudflare.net","type":46,"TTL":300,"data":"A ECDSAP256SHA256 6 300 1638534194 1638354194 34505 cloudflare.net. Aauf3FmXSi2wmVEZnsOmCtPKvvYeWxb+Ith7Q9FZAt8L/j3+uM102mrI85esDLZEn9AZUx7giVyAwcO7wqOm+w=="}]}

curl -H 'accept: application/dns-json' 'https://dns.google/resolve?name=www.mitel.com'
{"Status":0,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":[{"name":"www.mitel.com.","type":1}],"Answer":[{"name":"www.mitel.com.","type":5,"TTL":1995,"data":"www.mitel.com.cdn.cloudflare.net."},{"name":"www.mitel.com.cdn.cloudflare.net.","type":1,"TTL":300,"data":"104.18.20.112"},{"name":"www.mitel.com.cdn.cloudflare.net.","type":1,"TTL":300,"data":"104.18.21.112"}],"Comment":"Response from 198.41.222.31."}

curl -H 'accept: application/dns-json' 'https://dns.google/resolve?name=www.mitel.com&do=1'
{"Status":0,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":[{"name":"www.mitel.com.","type":1}],"Answer":[{"name":"www.mitel.com.","type":5,"TTL":3149,"data":"www.mitel.com.cdn.cloudflare.net."},{"name":"www.mitel.com.cdn.cloudflare.net.","type":1,"TTL":300,"data":"104.18.21.112"},{"name":"www.mitel.com.cdn.cloudflare.net.","type":1,"TTL":300,"data":"104.18.20.112"},{"name":"www.mitel.com.cdn.cloudflare.net.","type":46,"TTL":300,"data":"a 13 6 300 1638534194 1638354194 34505 cloudflare.net. /D8imvr0qViVXzrYW/9LCUIN7DGlYN7OZgB0M8vzJYbhKKvJUSuZZ0qFc3rKarF6LNPHc7lQRfVTnMnXWl028A=="}],"Comment":"Response from 198.41.223.131."}

The same lookups with Technitium DNS server never return the RRSIG as it never requests it.

And for completeness, against my Docker instance but also with a "do=0":

curl -H 'accept: application/dns-json' 'https://doh.mydomain.com/dns-query?name=www.mitel.com'
{"Status":0,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":[{"name":"www.mitel.com.","type":1}],"Answer":[{"name":"www.mitel.com.","type":5,"TTL":509,"Expires":"Thu, 02 Dec 2021 11:38:20 UTC","data":"www.mitel.com.cdn.cloudflare.net."},{"name":"www.mitel.com.cdn.cloudflare.net.","type":1,"TTL":185,"Expires":"Thu, 02 Dec 2021 11:32:56 UTC","data":"104.18.20.112"},{"name":"www.mitel.com.cdn.cloudflare.net.","type":1,"TTL":185,"Expires":"Thu, 02 Dec 2021 11:32:56 UTC","data":"104.18.21.112"},{"name":"www.mitel.com.cdn.cloudflare.net.","type":46,"TTL":185,"Expires":"Thu, 02 Dec 2021 11:32:56 UTC","data":"A 13 6 300 20211203122756 20211201102756 34505 cloudflare.net. tLuTXbpvJ5x2A1ZmZW7eez8ootG3adIhcVwMX1J3TZ/8D7yKD6M6EXq4fB4CYUgVsSy8a5AxyJhFOxfgxeTaFw=="}]}

curl -H 'accept: application/dns-json' 'https://doh.mydomain.com/dns-query?name=www.mitel.com&do=1'
{"Status":0,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":[{"name":"www.mitel.com.","type":1}],"Answer":[{"name":"www.mitel.com.","type":5,"TTL":485,"Expires":"Thu, 02 Dec 2021 11:38:20 UTC","data":"www.mitel.com.cdn.cloudflare.net."},{"name":"www.mitel.com.cdn.cloudflare.net.","type":1,"TTL":161,"Expires":"Thu, 02 Dec 2021 11:32:56 UTC","data":"104.18.20.112"},{"name":"www.mitel.com.cdn.cloudflare.net.","type":1,"TTL":161,"Expires":"Thu, 02 Dec 2021 11:32:56 UTC","data":"104.18.21.112"},{"name":"www.mitel.com.cdn.cloudflare.net.","type":46,"TTL":161,"Expires":"Thu, 02 Dec 2021 11:32:56 UTC","data":"A 13 6 300 20211203122756 20211201102756 34505 cloudflare.net. tLuTXbpvJ5x2A1ZmZW7eez8ootG3adIhcVwMX1J3TZ/8D7yKD6M6EXq4fB4CYUgVsSy8a5AxyJhFOxfgxeTaFw=="}]}

curl -H 'accept: application/dns-json' 'https://doh.mydomain.com/dns-query?name=www.mitel.com&do=0'
{"Status":0,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":[{"name":"www.mitel.com.","type":1}],"Answer":[{"name":"www.mitel.com.","type":5,"TTL":482,"Expires":"Thu, 02 Dec 2021 11:38:20 UTC","data":"www.mitel.com.cdn.cloudflare.net."},{"name":"www.mitel.com.cdn.cloudflare.net.","type":1,"TTL":158,"Expires":"Thu, 02 Dec 2021 11:32:56 UTC","data":"104.18.20.112"},{"name":"www.mitel.com.cdn.cloudflare.net.","type":1,"TTL":158,"Expires":"Thu, 02 Dec 2021 11:32:56 UTC","data":"104.18.21.112"},{"name":"www.mitel.com.cdn.cloudflare.net.","type":46,"TTL":158,"Expires":"Thu, 02 Dec 2021 11:32:56 UTC","data":"A 13 6 300 20211203122756 20211201102756 34505 cloudflare.net. tLuTXbpvJ5x2A1ZmZW7eez8ootG3adIhcVwMX1J3TZ/8D7yKD6M6EXq4fB4CYUgVsSy8a5AxyJhFOxfgxeTaFw=="}]}

I also tried specifying "type=A" which made no difference.

[m13253]

This may be a bug. And the reason may be I never tested this against a client that didn't support DNSSEC.

Have you tried the IETF protocol mode? That mode might (or might not) work.

[Taomyn]

Yeah, seems using IETF mode is better as I don't get RRSIG now - this is the test output from the Technitium DNS

JSON:

{
  "Metadata": {
    "NameServer": "https://doh.mydomain.com/dns-query",
    "Protocol": "HttpsJson",
    "DatagramSize": "778 bytes",
    "RoundTripTime": "329.86 ms"
  },
  "Identifier": 35049,
  "IsResponse": true,
  "OPCODE": "StandardQuery",
  "AuthoritativeAnswer": false,
  "Truncation": false,
  "RecursionDesired": true,
  "RecursionAvailable": true,
  "Z": 0,
  "AuthenticData": false,
  "CheckingDisabled": false,
  "RCODE": "NoError",
  "QDCOUNT": 1,
  "ANCOUNT": 4,
  "NSCOUNT": 0,
  "ARCOUNT": 0,
  "Question": [
    {
      "Name": "www.mitel.com",
      "Type": "A",
      "Class": "IN"
    }
  ],
  "Answer": [
    {
      "Name": "www.mitel.com",
      "Type": "CNAME",
      "Class": "IN",
      "TTL": "3114 (51 mins 54 sec)",
      "RDLENGTH": "33 bytes",
      "RDATA": {
        "Domain": "www.mitel.com.cdn.cloudflare.net"
      }
    },
    {
      "Name": "www.mitel.com.cdn.cloudflare.net",
      "Type": "A",
      "Class": "IN",
      "TTL": "24 (24 sec)",
      "RDLENGTH": "13 bytes",
      "RDATA": {
        "IPAddress": "104.18.20.112"
      }
    },
    {
      "Name": "www.mitel.com.cdn.cloudflare.net",
      "Type": "A",
      "Class": "IN",
      "TTL": "24 (24 sec)",
      "RDLENGTH": "13 bytes",
      "RDATA": {
        "IPAddress": "104.18.21.112"
      }
    },
    {
      "Name": "www.mitel.com.cdn.cloudflare.net",
      "Type": "RRSIG",
      "Class": "IN",
      "TTL": "24 (24 sec)",
      "RDLENGTH": "151 bytes",
      "RDATA": {
        "DATA": "QSAxMyA2IDMwMCAyMDIxMTIwNDA5MTIxMSAyMDIxMTIwMjA3MTIxMSAzNDUwNSBjbG91ZGZsYXJlLm5ldC4gWURNaGtBaDlJY1dKNmJXTi92SUdORUdpWkFJdnMxUkp1elhjV3ZCY0ZvendBTk54RUY2c3o2N0pBSW9ybVZXamZiV0JtR1BtRGthTnFXWW1idFlQSkE9PQ=="
      }
    }
  ],
  "Authority": [],
  "Additional": []
}

IETF:

{
  "Metadata": {
    "NameServer": "https://doh.mydomain.com/dns-query",
    "Protocol": "Https",
    "DatagramSize": "197 bytes",
    "RoundTripTime": "10.7 ms"
  },
  "Identifier": 50325,
  "IsResponse": true,
  "OPCODE": "StandardQuery",
  "AuthoritativeAnswer": false,
  "Truncation": false,
  "RecursionDesired": true,
  "RecursionAvailable": true,
  "Z": 0,
  "AuthenticData": false,
  "CheckingDisabled": false,
  "RCODE": "NoError",
  "QDCOUNT": 1,
  "ANCOUNT": 3,
  "NSCOUNT": 0,
  "ARCOUNT": 1,
  "Question": [
    {
      "Name": "www.mitel.com",
      "Type": "A",
      "Class": "IN"
    }
  ],
  "Answer": [
    {
      "Name": "www.mitel.com",
      "Type": "CNAME",
      "Class": "IN",
      "TTL": "2988 (49 mins 48 sec)",
      "RDLENGTH": "34 bytes",
      "RDATA": {
        "Domain": "www.mitel.com.cdn.cloudflare.net"
      }
    },
    {
      "Name": "www.mitel.com.cdn.cloudflare.net",
      "Type": "A",
      "Class": "IN",
      "TTL": "108 (1 min 48 sec)",
      "RDLENGTH": "4 bytes",
      "RDATA": {
        "IPAddress": "104.18.20.112"
      }
    },
    {
      "Name": "www.mitel.com.cdn.cloudflare.net",
      "Type": "A",
      "Class": "IN",
      "TTL": "108 (1 min 48 sec)",
      "RDLENGTH": "4 bytes",
      "RDATA": {
        "IPAddress": "104.18.21.112"
      }
    }
  ],
  "Authority": [],
  "Additional": [
    {
      "Name": "",
      "Type": "OPT",
      "Class": 1232,
      "TTL": "0 (0 sec)",
      "RDLENGTH": "0 bytes",
      "RDATA": {
        "DATA": ""
      }
    }
  ]
}

[gdm85]

I am closing this issue as it seems there is nothing to be fixed on dns-over-https side; if you think otherwise please comment!

Thanks