Unbound recursive server not setting AD flag

Question

I am running Unbound 1.9.0 as a recursive caching DNS server for a small branch office. It recurses over TLS towards cloudflare only and it has a typetransparent local-zone (example.com) overriding some of the public records from the public authoritative servers.

I am deploying SSHFP records across my organization and since unbound is not setting the AD flag (DNSSEC) the SSH client says "Matching host key fingerprint found in DNS" but still asks whether i trust the server fingerprint or not. Tested with ssh -o "VerifyHostKeyDNS yes" user@test.example.com

Evidence of the issue at the end of this post.

The https://dnssec.vs.uni-due.de/ test returns OK from each LAN client. Test clients are using the following /etc/resolv.conf (NetworkManager 1.10.6, no systemd-resolved, no dnsmasq).

search example.com
nameserver 192.168.1.100

These are the relevant parts from /etc/unbound/unbound.conf:

interface: 192.168.1.100
interface: 192.168.1.100@853

tls-port: 853
tls-service-key: /etc/unbound/mycert.pem
tls-service-pem: /etc/unbound/mykey.key

max-udp-size: 65536
do-udp: yes
do-tcp: yes
tcp-upstream: no

module-config: "validator iterator"

hide-identity: yes
hide-version: yes
identity: "Not Supported"
version: "0"

qname-minimisation: yes
harden-short-bufsize: yes
harden-large-queries: yes
harden-glue: yes
harden-dnssec-stripped: yes
harden-below-nxdomain: yes
harden-referral-path: yes
use-caps-for-id: yes

prefetch-key: yes
rrset-roundrobin: yes
minimal-responses: yes
val-clean-additional: yes
val-permissive-mode: no

#FORWARD
forward-zone:
    forward-tls-upstream: yes
    name: "."
    forward-addr: 1.1.1.1@853#cloudflare-dns.com
    forward-addr: 1.0.0.1@853#cloudflare-dns.com

#LOCAL ZONE
local-zone: example.com typetransparent
local-data: "gw.example.com  A 192.168.1.1"
local-data-ptr: "192.168.1.1 gw.example.com"

Evidence of the issue using dig

# DIRECTLY QUERYING CLOUDFLARE SHOWS THE AD FLAG :

user@testclient:~$ dig -t SSHFP test.example.com +dnssec @1.1.1.1

; <<>> DiG 9.11.3-1ubuntu1.15-Ubuntu <<>> -t SSHFP test.example.com +dnssec @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54559
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;test.example.com.      IN  SSHFP

;; ANSWER SECTION:
test.example.com.   300 IN  SSHFP   1 2 xxx yyy
test.example.com.   300 IN  SSHFP   2 2 xxx yyy
test.example.com.   300 IN  SSHFP   3 2 xxx yyy
test.example.com.   300 IN  SSHFP   4 2 xxx yyy
test.example.com.   300 IN  RRSIG   SSHFP 13 3 300 20211017181912 20211015161912 34505 example.com. zzz==


;; Query time: 19 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Sat Oct 16 19:32:33 CEST 2021
;; MSG SIZE  rcvd: 334


# AD FLAG MISSING WHEN QUERYING THE LOCAL UNBOUND:

user@testclient:~$ dig -t SSHFP test.example.com +dnssec @192.168.1.100

; <<>> DiG 9.11.3-1ubuntu1.15-Ubuntu <<>> -t SSHFP test.example.com +dnssec @192.168.1.100
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54559
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;test.example.com.      IN  SSHFP

;; ANSWER SECTION:
test.example.com.   2670    IN  SSHFP   1 2 xxx yyy
test.example.com.   2670    IN  SSHFP   2 2 xxx yyy
test.example.com.   2670    IN  SSHFP   3 2 xxx yyy
test.example.com.   2670    IN  SSHFP   4 2 xxx yyy
test.example.com.   2670    IN  RRSIG   SSHFP 13 3 300 20211017181912 20211015161912 34505 example.com. zzz==


;; Query time: 2 msec
;; SERVER: 192.168.1.100#53(192.168.1.100)
;; WHEN: Sat Oct 16 19:32:33 CEST 2021
;; MSG SIZE  rcvd: 334

Unbound recursive server not setting AD flag

0 Answers0