[Dnssec-trigger] DNSSEC Roadblock Avoidance and the wildcard NSEC/NSEC3 issue

[Pavel Simerda]

Hello,

I recently came across the DNSSEC Roadblock Avoidance draft[1] as well as
an issue with older BIND versions being detected as DNSSEC capable while
incapable of correctly supporting DNSSEC on domains with wildcards.

[1] http://tools.ietf.org/html/draft-ietf-dnsop-dnssec-roadblock-avoidance-01
[2] https://bugzilla.redhat.com/show_bug.cgi?id=824219

We identified a need to check the DNSSEC Aware[3] resolver for NSEC/NSEC3 on
a domain with wildcard subdomains. I created a trivial patch[4] for dnssec-trigger
that replaces the NSEC3 testing domains with wildcard ones and plan to test it
with a broken name server and update the test accordingly.

[3] http://tools.ietf.org/html/draft-ietf-dnsop-dnssec-roadblock-avoidance-01#section-4.1
[4] https://bugzilla.redhat.com/show_bug.cgi?id=824219#c46

I realized that dnssec-trigger doesn't specifically check for NSEC support and
only performs NSEC3 test. I'm curious whether we should add a specific NSEC test
to dnssec-trigger.

On the other hand, the draft doesn't talk about wildcard records at all, so
I suspect it ignores this issue present in actual deployments. I propose that
the draft is extended to also include wildcard NSEC/NSEC3 tests.

As a side note, when I was at LinuxCon Dusseldorf, I found out that the local
network configuration was very bad from the DNS/DNSSEC perspective. I couldn't
make most tools work with that network at all. EDNS queries were responded with
NXDOMAIN. TCP queries weren't answered at all. UDP queries to external servers
were answered from the local servers (with wrong source IP). TCP queries to
external servers worked.

In such a case I would expect a dnsssec-trigger to configure unbound either
to use authoritative servers using TCP, or to use a TCP 80/443 fallback
(as configured in dnssec-trigger.conf) which wasn't the case. I wonder whether
a tool implementing the draft would cope with such a situation.

Cheers,

Pavel