Hello
We are using unbound API for DNSSEC resolve.
If the Authenticated Data (AD) flag is received and is set to “not validated” 0.
What would be the states of the following flags:
- havedata
- secure
- bogus
Thanks
Does anyone have the information below ?
Hi Anthony,
It is not clear to me by your text but:
- If unbound receives the AD, it means that the upstream *signals* that
it has verified the query response. Unbound will not trust this and
will always do validation (unless not configured).
- If unbound sets the AD, unbound itself has verified the response.
I can't give one answer for the other values because it depends on the
response.
Information for the values you asked can be found in your local man page
for libunbound or online at
https://www.nlnetlabs.nl/documentation/unbound/libunbound/ for the
latest version.
Best regards,
-- George
Hi Anthony,
It would be better if you give an example of what you are trying to achieve.
If you trust your upstream (e.g., forwarding to a trusted resolver that
checks DNSSEC) you can disable validation by not including `validator`
in the modules configuration (`module-config:`).
If validation is disabled, unbound cannot check the DNSSEC state.
Best regards,
-- George
Hi Anthony,
Hello George
Here are two cases.
One, Google, which the API reports not secure.
Two, cloudflare, which the API reports as secure.
Note: some articles state Google should be supporting DNSSEC by now.
Both Google and Cloudflare *public resolvers* support DNSSEC; that is if
you ask 8.8.8.8 or 1.1.1.1 you will get DNSSEC validated answers.
However cloudflare.net is a DNSSEC signed domain, whereas google.com is not.
Using the API it would be easy to check the security bit and make a decision on what to allow.
But what about the below:
DNS client->unbound recursive resolver->external DNSSEC servers
In this case how do you control what to allow if you want it secure always ?
You do the DNSSEC validation as close to the client as you can.
It seems that you only want to consider DNSSEC signed domains and ignore
the rest.
Example Google
test-unbound: PrintUbResults qname=www.google.com qtype=1 qclass=1 canonname=(null) rcode=0 answer_len=59 secure=0 bogus=0 ttl=300 (domain name=www.google.com).
test-unbound: ResolveURL IP address 142.250.68.36 (domain name=www.google.com).
test-unbound: ResolveURL result is insecure (IP address 142.250.68.36, domain name=www.google.com).
secure=0 and bogus=0 means:
- either libunbound was configured without the validator, or
- the domain is not a DNSSEC secured domain (insecure).
In your case you know that the first is false, because you are the one
that configures libunbound.
Example cloudflare
test-unbound:[48918]: PrintUbResults qname=cloudflare.net qtype=1 qclass=1 canonname=(null) rcode=0 answer_len=185 secure=1 bogus=0 ttl=300 (domain name=cloudflare.net).
test-unbound:[48918]: ResolveURL IP address 104.17.156.85 (domain name=cloudflare.net).
test-unbound:[48918]: ResolveURL result is secure (IP address 104.17.156.85, domain name=cloudflare.net).
secure=1 and bogus=0 means that the domain is DNSSEC signed and passes
DNSSEC validation.
So in conclusion the following states are available if libunbound is
configured to do DNSSEC validation (default):
secure | bogus | verdict
0 | 0 | domain is not signed (insecure)
0 | 1 | domain is signed and bogus
1 | 0 | domain is signed and secure
1 | 1 | -; can't happen
Best regards,
-- George
Hello George
I setup forwarding to 8.8.8.8.
The unbound API still indicates the resolve is not secure.
My root.key is from iana.
What should I check ?
test-unbound main start
UnboundStart start.UnboundStart end (unbound pid 31193).
main unbound not yet running.
UnboundStart start.UnboundStart starting unbound.
[1596238739] unbound[31193:0] notice: Start of unbound 1.10.1.
[1596238739] unbound[31193:0] debug: creating udp6 socket ::1 53
[1596238739] unbound[31193:0] warning: IPv6 protocol not available
[1596238739] unbound[31193:0] debug: creating udp4 socket 127.0.0.1 53
[1596238739] unbound[31193:0] debug: creating tcp4 socket 127.0.0.1 53
[1596238739] unbound[31193:0] debug: switching log to syslog
main unbound is running.
libunboundclient:[31179]: ResolveURL URL=www.google.com (domain name=www.google.com).
libunboundclient:[31179]: ResolveURL ub_ctx_create() (domain name=www.google.com).
libunboundclient:[31179]: ResolveURL ub_ctx_resolvconf() /usr/local/etc/unbound/resolv.conf.
libunboundclient:[31179]: ResolveURL ub_ctx_hosts() /etc/hosts.
libunboundclient:[31179]: ResolveURL ub_ctx_add_ta_file() /usr/local/etc/unbound/root.key.
libunboundclient:[31179]: PrintOption version optval blank (domain name=www.google.com).
libunboundclient:[31179]: PrintOption verbosity=0 (domain name=www.google.com).
libunboundclient:[31179]: PrintOption chroot optval blank (domain name=www.google.com).
libunboundclient:[31179]: PrintOption username=unbound (domain name=www.google.com).
libunboundclient:[31179]: PrintOption error fallback-enabled (domain name=www.google.com).
libunboundclient:[31179]: PrintOption error for-downstream (domain name=www.google.com).
libunboundclient:[31179]: PrintOption error for-upstream (domain name=www.google.com).
libunboundclient:[31179]: ResolveURL ub_resolve() (domain name=www.google.com).
libunboundclient:[31179]: PrintUbResults qname=www.google.com qtype=1 qclass=1 canonname=(null) rcode=0 answer_len=139 secure=0 bogus=0 ttl=251 (domain name=www.google.com).
libunboundclient:[31179]: PrintUbResults result data element 0 has length 4 (domain name=www.google.com).
libunboundclient:[31179]: PrintUbResults result data element 0 is: 74.125.138.104 (domain name=www.google.com).
libunboundclient:[31179]: PrintUbResults result data element 1 has length 4 (domain name=www.google.com).
libunboundclient:[31179]: PrintUbResults result data element 1 is: 74.125.138.99 (domain name=www.google.com).
libunboundclient:[31179]: PrintUbResults result data element 2 has length 4 (domain name=www.google.com).
libunboundclient:[31179]: PrintUbResults result data element 2 is: 74.125.138.106 (domain name=www.google.com).
libunboundclient:[31179]: PrintUbResults result data element 3 has length 4 (domain name=www.google.com).
libunboundclient:[31179]: PrintUbResults result data element 3 is: 74.125.138.103 (domain name=www.google.com).
libunboundclient:[31179]: PrintUbResults result data element 4 has length 4 (domain name=www.google.com).
libunboundclient:[31179]: PrintUbResults result data element 4 is: 74.125.138.147 (domain name=www.google.com).
libunboundclient:[31179]: PrintUbResults result data element 5 has length 4 (domain name=www.google.com).
libunboundclient:[31179]: PrintUbResults result data element 5 is: 74.125.138.105 (domain name=www.google.com).
libunboundclient:[31179]: ResolveURL IP address 74.125.138.104 (domain name=www.google.com).
libunboundclient:[31179]: ResolveURL result is insecure (IP address 74.125.138.104, domain name=www.google.com).
main resolve www.google.com 74.125.138.104 (cnt 1).
UnboundStop stopping unbound (unbound pid 31193).
test-unbound main end
(attachments)
unbound.conf (41 KB)
wqar-unbound.log (22.5 KB)
Hello Anthony,
On 22 July, George very clearly wrote to you:
"However cloudflare.net is a DNSSEC signed domain, whereas google.com is not."
Your log file below also shows unbound resolving "www.google.com", getting an answer, and saying that it's not secure. All of this is consistent, because "google.com" is NOT a signed domain. So what's the problem?
Regards,
Anand
Hello George
I setup forwarding to 8.8.8.8.
The unbound API still indicates the resolve is not secure.
My root.key is from iana.What should I check ?
test-unbound main start
[snip]
Sorry I mist that, no problem for this item.