DNS Proxy breaks DNSSEC validation
Hi,
is anyone using the internal DNS Proxy on SonicOS and experienced the problem that DNSSEC validation gets broken for every cached answer? This might break DANE or any other implementation which needs proper DNSSEC validation.
I tested this on an appliance running SonicOS 6.5.4.10 and it can be easily verifed with delv,
1st DNS request (cache empty), validation OK root@INTEL-NUC10i7FNH:~# delv bsi.de ; fully validated bsi.de. 14032 IN A 80.245.144.218 bsi.de. 14032 IN RRSIG A 8 2 14400 20220501050402 20220421050402 49698 bsi.de. ASDhF4nIAuVQrWg/6/cseOSm/1jR4DUVovhYYBKrt/4ARUiCgUn+j5ft c37+WL81WOS1oHF21r1WQFAmViE/Ml21ePt2x1KfX0x67S9LBbS9Z9tG gbQtkWH1dfUNNyroSks3cUZtSVg72M9QpYVfqE+wG20gpDNczKbG6fLO OTU= 2nd DNS request (bsi.de is in cache), validation failed root@INTEL-NUC10i7FNH:~# delv bsi.de ;; no valid RRSIG resolving 'de/DS/IN': x.x.x.x#53 ;; broken trust chain resolving 'bsi.de/A/IN': x.x.x.x#53 ;; resolution failed: broken trust chain
When the cache entry for bsi.de gets flushed it's working again for a single time. Adding the +vtrace Option to the delv command shows the validation process if someone needs details. As a countercheck I disabled the DNS Proxy Cache completely and the validation worked every time.
I'll try to do the same test on a Gen7 appliance next week, but I expect the same outcome.
This might be not an issue for the masses, but nevertheless should be handled properly. Usually I run a proper DNS resolver alongside in DANE scenarios, but this might be not necessary in smaller deployments when done correctly on the Firewall.
--Michael@BWC