PowerDNS Recursor version 4 supports DNSSEC validation

23 September 2016

With the launch of version 4, the PowerDNS Recursor now also supports DNSSEC validation. The new feature is currently still experimental, but the developers say it works well. "The underlying design philosophy is that legitimate look-ups shouldn't be refused, since that results in sites and services being unavailable to end users."

Validation by the Recursor has been on the agenda for some time, but has had to wait for refinement of the DNSSEC implementation on the PowerDNS authoritative server. Protection against DDoS/amplification attacks has also been a high priority in recent years, leading to development of the dnsdist load balancer, for example.

Because the Netherlands leads the way on the signing of its domain names, but lags behind in terms of validation by internet access providers, SIDN has provided financial support for the implementation of validation on the Recursor. For the same reason, the registry is also working on its own (validating) DNS service, along the lines of Google Public DNS and OpenDNS (now under the Cisco umbrella).

Users

The PowerDNS Recursor is used in the Netherlands by a handful of large ISPs. So, for example, XS4All — which recently switched from BIND named to the PowerDNS server for their authoritative DNS service — is experimenting with the validating PowerDNS Recursor. That is in addition to using Unbound for validation on some of their existing resolvers. Outside the Netherlands, the PowerDNS Recursor is being used by a major telecom service provider in a neighbouring country and by a pan-European cable service provider.

PowerDNS versus Unbound and BIND named

Compared with Unbound and BIND named, the main thing that distinguishes the PowerDNS Recursor is that its developers have taken a very pragmatic approach. "The underlying design philosophy is that legitimate look-ups shouldn't be refused, since that results in sites and services being unavailable to end users", says Senior Engineer Peter van Dijk. "We see avoiding issues as the priority, even if that means that the occasional query gets through despite the DNSSEC chain not being entirely in order."

Such thinking has led the PowerDNS team to different design decisions from those made by the developers of Unbound and BIND. A more academic approach was chosen for Unbound and BIND, following the RFCs as closely as possible. However, all three software packages provide very effective tools. The user can therefore choose the solution that suits them best.

Negative Trust Anchors

In the light of experience, a certain pragmatism has been forced upon Unbound as well. For example, records whose signatures have expired can now be forwarded, as long as the signatures have not exceeded their lifetimes by more than 10 per cent (see the 'val-sig-skew-min' and 'val-sig-skew-max' options).

The PowerDNS Recursor now supports the whitelisting of problematic/bogus addresses — in DNSSEC terms, the addition of Negative Trust Anchors (NTAs, as defined in RFC 7646) — both permanently in the configuration file and temporarily in run-time. The latter option means that, for example, an end user who calls about an unreachable site can be given immediate assistance. A few years ago, when there were far more DNSSEC configuration errors in the .nl zone than now, the cost of handling complaint calls prompted T-Mobile to disable validation for mobile users, after previously supporting it.

RPZ, Lua and Curve25519

Another new feature in version 4 of the PowerDNS Recursor is support for RPZ (Response Policy Zone). The mechanism resembles the DNSBL/RBL protocol, which is used to query Spamhaus Project blacklists, for example. However, whereas DNSBL/RBL returns only a 'yes' or a 'no', RPZ responses can include more detailed information about reputation and policies. Both mechanisms are based on the DNS infrastructure.

In addition, the Recursor's Lua scripting facility now utilises LuaWrapper.

Finally, the makers of PowerDNS hope to enable support for the elliptic curve crypto-algorithm Curve25519 in a future version. That protocol is the basis for DNSCurve, an alternative to DNSSEC devised by Daniel J. Bernstein, which didn't take off. Curve25519 cryptography is currently being standardised by the IETF for use in DNSSEC. Once standardisation is complete, Curve25519 can be added to IANA's DNSSEC algorithm list.

Traditional Dutch product

"We've built up considerable DNS expertise in the Netherlands", says Marco Davids, Research Engineer at SIDN, and we can be proud of that. PowerDNS is a traditional Dutch product that's achieved global prominence purely on the basis of quality: their authoritative name server is a byword. With new developments, such as dnsdist and the new (DNSSEC) features in the Recursor, they are reinforcing their position. We're very happy with the good relations and the popularity of PowerDNS amongst registrars and DNS operators. A lot of them are major, global players. "

Comments

  • Wednesday 9 January 2019

    SIDN Labs

    A new year, a new research agenda

    Thumb-magnifying-glass-with-year-2019

    Five challenges, two research areas

    Read more
  • Tuesday 11 December 2018

    .nl-domainname

    Get the best domain name for your business: use the SIDN checklist!

    zzpthumbnail

    Need a domain name that'll win you customers. Use our checklist!

    Read more
  • Tuesday 7 May 2019

    Internet security

    "By taking a few simple precautions, you can protect yourself against 99% of threats"

    Maria-Genova-thumbnail

    Een interview met onderzoeksjournalist en schrijfster Maria Genova, auteur van Komt een vrouw bij de h@cker

    Read more

Sorry

Your browser is too old to optimally experience this website. Upgrade your browser to improve your experience.