0

Every other field required to perform DNSSEC validation is returned by these APIs, and the API protocol formats from Google and CloudFlare are exactly the same, yet both of them specifically omit the DS RRSIG field.

Why is this the case? I figure we're just doing DNS lookup, but over HTTPS, so why is this field specifically omitted?

We've tried getting in touch but haven't had much luck digging into it.

Daniel Stenberg
  • 54,736
  • 17
  • 146
  • 222
Paul Shapiro
  • 882
  • 8
  • 15
  • Can you specify? Do you do a DS query and not get a reply? Otherwise the DS just by itself is pretty useless: the resolver is validating so it replies to you telling you if the answer validates and for this among other things it had to use DS records but there are only intermediaries in its computation to see if it is DNSSEC validated or not. It gives you the resulsts: the answer is authentified or not, which is what you need to know. What do you want to do specifically with DS records? – Patrick Mevzek May 19 '18 at 18:14
  • hey @PatrickMevzek - we want to do the DNSSEC validation ourselves and the DS RRSIG is necessary for that. We're querying for RRSIG records in the APIs. That returns a bunch of RRSIGs but none of them cover the DS record set—which is what we need. An example can be found at: https://dns.google.com/resolve?name=dnssec-validator.cz&type=RRSIG Note how there're no DS RRSIGs, but it is clearly in there. Best, – Paul Shapiro May 20 '18 at 01:24
  • If you want to do the DNSSEC validation yourself, it is great but then why depend on some external nameserver? Why not do the recursive queries yourself? If you query for domain X the DS is in parent zone and hence you need the RRSIG also from the parent zone. Have a look at dnssec-trigger and stubby as software. – Patrick Mevzek May 20 '18 at 01:38
  • hey @PatrickMevzek the reason is we're in an environment where we need to do that. Simple as that :) – Paul Shapiro May 20 '18 at 01:41
  • I still think it could not be done. When you query for domain X at the end of line the authoritative nameservers for X will reply to you... however they will never be able to give you data about a DS record since simply they do not have it as it sits in their parent. So it is not an explicit ban of returning it, just that it does not sit where the other data is. – Patrick Mevzek May 20 '18 at 03:46
  • @PatrickMevzek The thing is, we do query the parent and in the reply we get access to the DS record published there. But querying for RRSIGs in the parent still doesn't return an RRSIG that covers that DS record. It definitely exists there .. the API is just not exposing it. – Paul Shapiro May 21 '18 at 13:13
  • We figured out a way to do it using the DNS wire format. Looks like we're not crazy after all.. :) – Paul Shapiro Jun 06 '18 at 17:27
  • Post it as an answer then and validate it to close the question and for the benefits of others. Thanks. – Patrick Mevzek Jun 06 '18 at 18:05

0 Answers0