PowerDNS Recursor version 4 supports DNSSEC validation
23 September 2016
With the launch of version 4, the PowerDNS Recursor now also supports DNSSEC validation. The new feature is currently still experimental, but the developers say it works well. "The underlying design philosophy is that legitimate look-ups shouldn't be refused, since that results in sites and services being unavailable to end users."
Validation by the Recursor has been on the agenda for some time, but has had to wait for refinement of the DNSSEC implementation on the PowerDNS authoritative server. Protection against DDoS/amplification attacks has also been a high priority in recent years, leading to development of the dnsdist load balancer, for example.
Because the Netherlands leads the way on the signing of its domain names, but lags behind in terms of validation by internet access providers, SIDN has provided financial support for the implementation of validation on the Recursor. For the same reason, the registry is also working on its own (validating) DNS service, along the lines of Google Public DNS and OpenDNS (now under the Cisco umbrella).
The PowerDNS Recursor is used in the Netherlands by a handful of large ISPs. So, for example, XS4All — which recently switched from BIND named to the PowerDNS server for their authoritative DNS service — is experimenting with the validating PowerDNS Recursor. That is in addition to using Unbound for validation on some of their existing resolvers. Outside the Netherlands, the PowerDNS Recursor is being used by a major telecom service provider in a neighbouring country and by a pan-European cable service provider.
PowerDNS versus Unbound and BIND named
Compared with Unbound and BIND named, the main thing that distinguishes the PowerDNS Recursor is that its developers have taken a very pragmatic approach. "The underlying design philosophy is that legitimate look-ups shouldn't be refused, since that results in sites and services being unavailable to end users", says Senior Engineer Peter van Dijk. "We see avoiding issues as the priority, even if that means that the occasional query gets through despite the DNSSEC chain not being entirely in order."
Such thinking has led the PowerDNS team to different design decisions from those made by the developers of Unbound and BIND. A more academic approach was chosen for Unbound and BIND, following the RFCs as closely as possible. However, all three software packages provide very effective tools. The user can therefore choose the solution that suits them best.
Negative Trust Anchors
In the light of experience, a certain pragmatism has been forced upon Unbound as well. For example, records whose signatures have expired can now be forwarded, as long as the signatures have not exceeded their lifetimes by more than 10 per cent (see the 'val-sig-skew-min' and 'val-sig-skew-max' options).
The PowerDNS Recursor now supports the whitelisting of problematic/bogus addresses — in DNSSEC terms, the addition of Negative Trust Anchors (NTAs, as defined in RFC 7646) — both permanently in the configuration file and temporarily in run-time. The latter option means that, for example, an end user who calls about an unreachable site can be given immediate assistance. A few years ago, when there were far more DNSSEC configuration errors in the .nl zone than now, the cost of handling complaint calls prompted T-Mobile to disable validation for mobile users, after previously supporting it.
RPZ, Lua and Curve25519
Another new feature in version 4 of the PowerDNS Recursor is support for RPZ (Response Policy Zone). The mechanism resembles the DNSBL/RBL protocol, which is used to query Spamhaus Project blacklists, for example. However, whereas DNSBL/RBL returns only a 'yes' or a 'no', RPZ responses can include more detailed information about reputation and policies. Both mechanisms are based on the DNS infrastructure.
Finally, the makers of PowerDNS hope to enable support for the elliptic curve crypto-algorithm Curve25519 in a future version. That protocol is the basis for DNSCurve, an alternative to DNSSEC devised by Daniel J. Bernstein, which didn't take off. Curve25519 cryptography is currently being standardised by the IETF for use in DNSSEC. Once standardisation is complete, Curve25519 can be added to IANA's DNSSEC algorithm list.
Traditional Dutch product
"We've built up considerable DNS expertise in the Netherlands", says Marco Davids, Research Engineer at SIDN, and we can be proud of that. PowerDNS is a traditional Dutch product that's achieved global prominence purely on the basis of quality: their authoritative name server is a byword. With new developments, such as dnsdist and the new (DNSSEC) features in the Recursor, they are reinforcing their position. We're very happy with the good relations and the popularity of PowerDNS amongst registrars and DNS operators. A lot of them are major, global players. "