DoH client side DNSSEC validation

Website, Application, Performance DNS & Network
1

Hi, I am the author of a javascript DoH DNS client.
I am currently trying to test my implementation of RFC3225 and client side DNSSEC validation.

I am trying to determine if I have failed to correctly implement the spec. As far as I can find Cloudflare is simply ignoring the DO bit. Cloudflares response has the DO bit unset which suggests that DoH does not have DNSSEC support. I am expecting the RRSIG record to be included in the response.

Can anyone confirm that Cloudflare DoH supports DNSSEC requests?

I have converted my javascript to bash to help illustrate:

echo 'AAABAAABAAAAAAABB2V4YW1wbGUGaTJsYWJzAmNhAAABAAEAACkQAAAAIAAAAA==' | base64 -d | hexdump -C                                                               
00000000  00 00 01 00 00 01 00 00  00 00 00 01 07 65 78 61  |.............exa|
00000010  6d 70 6c 65 06 69 32 6c  61 62 73 02 63 61 00 00  |mple.i2labs.ca..|
00000020  01 00 01 00 00 29 10 00  00 00 20 00 00 00        |.....).... ...|
0000002e

curl -s -H'Accept: application/dns-message' 'https://cloudflare-dns.com/dns-query?dns=AAABAAABAAAAAAABB2V4YW1wbGUGaTJsYWJzAmNhAAABAAEAACkQAAAAIAAAAA' | hexdump -C
00000000  00 00 81 80 00 01 00 01  00 00 00 01 07 65 78 61  |.............exa|
00000010  6d 70 6c 65 06 69 32 6c  61 62 73 02 63 61 00 00  |mple.i2labs.ca..|
00000020  01 00 01 c0 0c 00 01 00  01 00 00 01 2c 00 04 00  |............,...|
00000030  00 00 00 00 00 29 04 d0  00 00 00 00 00 00        |.....)........|
0000003e

To reiterate RFC1035 the first 12 bytes are the header, proceeded by the question which is a string with an additional 4 bytes.
The EDNS0 OPT pseudo-record follows with a string, 6 bytes, and then the DO bit and additional 4 bytes. (0x2000 = 0b10000000000000). You can see that the DO bit is set at the end of the encoded request.

The response, also trailed by the EDNS0 OPT pseudo-record does not have the DO bit set. I am trying to determine if there is a mistake in my understanding or if Cloudflare has failed to implement DNSSEC over DoH.

2

@MoreHelp Can a Cloudflare engineer confirm that DNSSEC is supported over DoH?

3

Have you tried this?

https://dnssec.vs.uni-due.de/

4

Thanks, although unless I am missing something this doesn’t appear to test via DoH.

I am looking to verify that the RRSIG record can be requested via DoH.

5

What DNS do you think it’s using?

6

This is using the browsers (likely OS supplied) DNS resolver and simply making an AJAX request against a domain with invalid DNSSEC.
The javascript detects the failed request and reports that the resolver successfully validated the response.

7

After staring at this for far too long, I failed to pack the DO bit in the correct offset. It should have been 0x80 rather than 0x20.
Once making that change I was able to successfully retrieve the RRSIG record with the request over DoH.

DNSSEC support over DoH confirmed.

1 Like