Allow setting the CD bit to ignore DNSSEC validation

Question

Allow setting the CD bit to ignore DNSSEC validation

bayerhonza opened this issue 2 years ago · 0 comments

Some public resolvers such as Google Public DNS (8.8.8.8) or Cloudflare DNS (1.1.1.1) perform DNSSEC validation. As a result, domains that are not signed return SERVFAIL.

example:

echo "dnssec-failed.org" | zdns --name-servers 1.1.1.1 a

results to

{"data":{"protocol":"udp","resolver":"1.1.1.1:53"},"name":"dnssec-failed.org","status":"SERVFAIL","timestamp":"2023-02-29T12:00:00+02:00"}

However, when performing DNS scans where we do not want to take into consideration the DNSSEC validation result, it is useful to set the CD bit (RFC4035) to disable signature validation and receive raw data from the resolver.

The expected result for

echo "dnssec-failed.org" | zdns a --name-servers 1.1.1.1 --checking-disabled

would then be:

{"data":{"additionals":[{"flags":"","type":"EDNS0","udpsize":1232,"version":0}],"answers":[{"answer":"96.99.227.255","class":"IN","name":"dnssec-failed.org","ttl":300,"type":"A"}],"protocol":"udp","resolver":"1.1.1.1:53"},"name":"dnssec-failed.org","status":"NOERROR","timestamp":"2023-02-29T12:00:00+02:00"}

It is not an issue, but rather a feature request and my pull request will follow shortly.

Thx