Local DNSSEC validation settings should not override query request

[pemensik]

Is your feature request related to a problem? Please describe.
Local stub should always forward DNSSEC enabled queries (with DO flag) to upstream, regardless of DNSSEC validation settings. In current defaults with DNSSEC=no, DO flag is never forwarded to upstream with this setting, therefore DNSSEC reply never arrives. I think locally validation application (delv) should be able to try validation regardless validation settings in resolved.

Describe the solution you'd like
When local stub receives query with DO flag, it should always forward DO flag query to forwarders. Whether they do respond with DNSSEC records or not, it is only a problem of client application. resolved just has to cache also RRSIG, NSEC and NSEC3 records if they were received, but do not try to validate them in case of DNSSEC=no. If local DO enables queries should be squashed to non-DO queries forwarded, I think that should be different DNSSEC setting. For example DNSSEC=downgrade.

resolved should upgrade cached to DNSSEC enabled query, if previous cached response were requested without DO bit, but query does have it set. Ie dig @127.0.0.53 followed by dig +dnssec 127.0.0.53 should deliver RRSIG, if current forwarder is able to provide it.

Describe alternatives you've considered
DNSSEC=yes works fine and default DNSSEC=allow-downgrade should work fine too. Sadly DNSSEC=no is default on Fedora 34, so recent improvement is not enabled by default(rhbz). I think it should work by default and local application should be allowed to detect DNSSEC problems themselves.

As an alternative, better detection of allow-downgrade might be used, so DNSSEC=no is not used by distributions anymore. But even then this feature would make sense.

The systemd version you checked that didn't have the feature you are asking for
systemd-248~rc4-4.fc35.x86_64

[poettering]

I am not convinced this is desirable. If we are told not to speak DNSSEC upstream I am pretty sure we should not try this ever, and clearly communicate this to clients, by indicating we don't support DNSSEC.

If you want us to proxy a request upstream you can set CD btw, in which case we'll literally pass everything on.

Or to say this differently: we focus on returning an answer at all, and we are told DNSSEC to be off the table, we better return a non-DNSSEC reply to a DNSSEC-enabled client than to propagate the question as is and return a broken reply.

[pemensik]

By setting DO flag on client side, you are told to speak DNSSEC upstream. It can be done per-query, unlike global settings. CD flag means Caching Disabled, which has different meaning and should not be required by every compliant software. Of course it is possible to pass +cd to dig or delv, but it might not be so easy with other validating clients, for example using unbound library.

It could be handled in the same way internally and map DO flag to same meaning of CD, when DNSSEC=no. But it should not require clients to include also CD flag, because they might not be able to configure that.

[poettering]

Nah, DO doesn't mean that. It just means "I'd like to use DO for this transaction, if you please". And we then say "nope, sorry, we were told not to"

[poettering]

CD doesn't mean Caching Disabled btw. It means Checking Disabled.

[poettering]

I mean, we could add a new mode DNSSEC=stub-only or so. If specified we'd do DNSSEC validation if stub clients set DO and otherwie not. but that'd be a new feature

[pemensik]

Nah, DO doesn't mean that. It just means "I'd like to use DO for this transaction, if you please". And we then say "nope, sorry, we were told not to"

Sure, and that is a regression to state before systemd-resolved became default in both Ubuntu and Fedora. Before it this DO flag was enough to receive DNSSEC enabled reply if infrastructure allowed it.

CD doesn't mean Caching Disabled btw. It means Checking Disabled.

Okay, correct. Its meaning is different anyway. It asks remote server to not do validation on their side. Which is default when DNSSEC=no, right? But resolved threats it like "behave like you don't know what DNSSEC is". Why?

I mean, we could add a new mode DNSSEC=stub-only or so. If specified we'd do DNSSEC validation if stub clients set DO and otherwie not. but that'd be a new feature

No, please don't! What I requested was just any DNSSEC data received from forwarder should be passed to stub client. It should not attempt validate them, just try to obtain (and cache) them. If forwarder delivered reply containing DNSSEC, good, pass it to client. If forwarder delivered reply without DNSSEC, okay, pass that to client anyway. If forwarder failed to delivery any reply, then it is broken, deliver SERVFAIL or timeout too.

Validation should be done only at a side of a stub client in this case. systemd-resolved would not validate in any case, it would just include DO flag on forwarded query and do not strip RRSIG and similar when client included DO flag too. It has to strip any RRSIG when client did not include DO flag as usual.

[mcatanzaro]

I don't have a strong opinion on this issue, but consider that downstream distributions will require that the DO flag shall work by default. Such distributions would currently need to default to at least DNSSEC=allow-downgrade, rather than DNSSEC=no as used in Fedora. I don't have a strong opinion about that either, but if that's undesired, then this change is required.

[mcatanzaro]

@poettering it seems to me like this problem would go away if we could safely default to DNSSEC=allow-downgrade. You've previously indicated that is not advisable yet. Can you explain why?

[mcatanzaro]

@poettering could you comment again on this issue, please?

[pemensik]

This issue is still present in latest systemd-251~rc1. Is there anything I could clarify?