Skip to content

Instantly share code, notes, and snippets.

@hdais

hdais/nta-for-bind910.conf

Created February 18, 2016 17:53
Show Gist options
  • Save hdais/3e9681fdeecfbea19ebe to your computer and use it in GitHub Desktop.
Save hdais/3e9681fdeecfbea19ebe to your computer and use it in GitHub Desktop.
Download ZIP
Negative Trust Anchor for BIND 9.10
Raw
nta-for-bind910.conf
options {
// Enable DNSSEC validation
dnssec-validation auto;
// set NTA to dnssec-failed.org
// BIND9.10 and higher implements disable-ds-digests
disable-ds-digests dnssec-failed.org { SHA-1; SHA-256; };
};
@hdais
Copy link
Author

hdais commented Feb 18, 2016

without NTA

BIND9.10 determines that "dnssec-failed.org" is bogus, and returns SERVFAIL.

$ dig @::1 dnssec-failed.org +dnssec
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 4100
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;dnssec-failed.org.     IN  A

with NTA

BIND9.10 doesn't perform DNSSEC validation for dnssec-failed.org and returns "insecure" (ad=0) answer.

$ dig @::1 dnssec-failed.org +dnssec
(snip)
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 13

;; QUESTION SECTION:
;dnssec-failed.org.     IN  A

;; ANSWER SECTION:
dnssec-failed.org.  7189    IN  A   69.252.80.75
dnssec-failed.org.  7189    IN  RRSIG   A 5 2 7200 20160220165306 20160213134806 30891 dnssec-failed.org. SDHwByPj36pfhqFC8OIePKbYUsxgBtstZH8n9zmE/pwr+Zm4kgJ+ercb qKzXkB8q3YVcrMOUWD3S2ZyYZ/g3UF2S/wqK8eJMLxsReCo/S1SB9sPi sSj7dFzDWsOZu4+c29QclYK9DZru3ybo+TLwzGTF9mk5QIQUSFudumGy Gv8=
(snip)

@hdais
Copy link
Author

hdais commented Feb 18, 2016

Description

You can configure NTA for BIND 9.10, though only BIND 9.11 implements NTA officially.

BIND9.10 performs DNSSEC validation as if there's none of DS digest algorithms for the domain specified in disable-ds-digests. For DS digest algorithm mainly SHA-1 and SHA-256 are used. So in this configuration (nta-for-bind910.conf) BIND9.10 performs validation as if dnssec-failed.org has no DS records, which means the domain is "insecure".

A few domains are using other algorithms such as SHA-384 or GOST. For such domains, specify these algorithm e.g. disable-ds-digests example.com { SHA-384; };

@jplitza
Copy link

jplitza commented Mar 21, 2018

This didn't work for insecure TLDs for me:

dnssec:   validating tld/SOA: got insecure response; parent indicates it should be secure

So yes, this disables the DNSSEC validation for that domain, but if the parent mandates it to be secure, this doesn't help.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment