From: Vladimír Čunát Date: Tue, 29 Nov 2022 10:30:32 +0000 (+0100) Subject: policy.STUB: avoid applying aggressive DNSSEC denial proofs X-Git-Tag: v5.6.0~9^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=24e912e0b08fa6410bc69e357644e640304a7547;p=thirdparty%2Fknot-resolver.git policy.STUB: avoid applying aggressive DNSSEC denial proofs In particular, avoids unintentional NXDOMAIN on grafted subtrees. Consequently the users can drop 'NO_CACHE' flag and get caching. --- diff --git a/NEWS b/NEWS index 59526db78..4d0b009d0 100644 --- a/NEWS +++ b/NEWS @@ -4,6 +4,7 @@ Knot Resolver 5.x.y (202y-mm-dd) Improvements ------------ - depend on jemalloc, preferably, to improve memory usage (!1353) +- policy.STUB: avoid applying aggressive DNSSEC denial proofs (!1364) Bugfixes -------- diff --git a/lib/cache/peek.c b/lib/cache/peek.c index 860ba86b1..ef97a5206 100644 --- a/lib/cache/peek.c +++ b/lib/cache/peek.c @@ -134,6 +134,12 @@ int peek_nosync(kr_layer_t *ctx, knot_pkt_t *pkt) return ctx->state; } + /* Avoid aggressive answers in STUB mode. + * As STUB mode doesn't validate, it wouldn't save the necessary records. + * Moreover, this special case avoids unintentional NXDOMAIN on grafted subtrees. */ + if (qry->flags.STUB) + return ctx->state; + /**** 1b. otherwise, find the longest prefix zone/xNAME (with OK time+rank). [...] */ k->zname = qry->sname; ret = kr_dname_lf(k->buf, k->zname, false); /* LATER(optim.): probably remove */ diff --git a/modules/policy/README.rst b/modules/policy/README.rst index 0d37b1f6c..202aabab7 100644 --- a/modules/policy/README.rst +++ b/modules/policy/README.rst @@ -620,19 +620,6 @@ and you trust your link to it, you need to use the :func:`policy.STUB` policy instead of :func:`policy.FORWARD` to disable DNSSEC validation for those *grafted* domains. -Secondly, after disabling DNSSEC validation you have to solve another issue -caused by grafting. For example, if you grafted your own top-level domain -``example.`` onto the public DNS namespace, at some point the root server might -send proof-of-nonexistence proving e.g. that there are no other top-level -domain in between names ``events.`` and ``exchange.``, effectively proving -non-existence of ``example.``. - -These proofs-of-nonexistence protect public DNS from spoofing but break -*grafted* domains because proofs will be latter used by resolver -(when the positive records for the grafted domain timeout from cache), -effectively making grafted domain unavailable. -The easiest work-around is to disable reading from cache for grafted domains. - .. code-block:: lua :caption: Example configuration grafting domains onto public DNS namespace @@ -647,7 +634,9 @@ The easiest work-around is to disable reading from cache for grafted domains. -- validated anyway; in some of those cases adding 'NO_0X20' can also help, -- though it also lowers defenses against off-path attacks on communication -- between the two servers. - policy.add(policy.suffix(policy.FLAGS({'NO_CACHE', 'NO_EDNS'}), extraTrees)) + -- With kresd <= 5.5.3 you also needed 'NO_CACHE' flag to avoid unintentional + -- NXDOMAINs that could sometimes happen due to aggressive DNSSEC caching. + policy.add(policy.suffix(policy.FLAGS({'NO_EDNS'}), extraTrees)) policy.add(policy.suffix(policy.STUB({'2001:db8::1'}), extraTrees)) Response policy zones