support forwarding to kresd so DNSSEC validation can work
In cases when kresd
is run without a configured trust anchor it strips DNSSEC records (like RRSIG
). It also happens if kresd thinks that particular zone is insecure.
This breaks any validator using this non-validating kresd
as forwarder and also cases where validating client has different set of trust achors than kresd it forwards to.
Affected version: 96d29c0e
# rm *.mdb && sudo kresd -v &
# dig @127.0.0.1 +dnssec .
[ 0][plan] plan '.' type 'A'
[12071][iter] '.' type 'A' id was assigned, parent id 0
[12071][resl] => using root hints
[15848][iter] '.' type 'A' id was assigned, parent id 0
[15848][resl] => querying: '2001:dc3::35' score: 10 zone cut: '.' m12n: '.' type: 'A' proto: 'udp'
[15848][resl] => querying: '202.12.27.33' score: 10 zone cut: '.' m12n: '.' type: 'A' proto: 'udp'
[15848][iter] <= rcode: NOERROR
[15848][ pc ] => answer cached for TTL=900
[15848][resl] <= server: '2001:dc3::35' rtt: >=285 ms
[15848][resl] <= server: '202.12.27.33' rtt: 35 ms
[ 0][resl] finished: 4, queries: 1, mempool: 16400 B
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41638
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;. IN A
;; AUTHORITY SECTION:
. 86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2017020600 1800 900 604800 86400
;; Query time: 286 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Po úno 06 12:20:15 CET 2017
;; MSG SIZE rcvd: 103
Further inspection in Wireshark showed that DO
bit is received by kresd
but not set in queries to upstream servers.