DNSServiceQueryRecord and DNSSEC

App & System Services Networking
cmittendorf OP
Created Feb ’18
Replies 4
Boosts 0
Views 1.2k
Participants 2

Hi there,


I'm currently working on the network part of my appliation where I require a DNS response being validated using DNSSEC. I use DNSServiceQueryRecord for the query and 

kDNSServiceFlagsValidate
as a flag parameter.


However, I want to query for DNSServiceType 52, a type which isn't defined in the header.


The callback is called correctly, but the validation result does always contain: 

kDNSServiceFlagsBogus.


The documentation says:


If the response cannot be verified to be secure due to expired signatures, missing signatures, and so on, then the results are considered to be bogus.


How can I find out more information about the error (RFC 4033 has some information for the "bogus" response)? How should I treat the 'bogus' response? The dnssd API describes the following four result codes:


  • kDNSServiceFlagsSecure - The response has been validated by verifying all the signature …
  • kDNSServiceFlagsInsecure - A chain of trust cannot be built …
  • kDNSServiceFlagsBogus - If the response cannot be verified to be secure due …
  • kDNSServiceFlagsIndeterminate - There is no valid trust anchor that can be used …


Regards,

Christian

Answered by cmittendorf in 294791022

Thanks for your support … but it is no longer necessary. My latest research on this issue showed, that the answer from dnssd that the DNSSEC validation is kDNSServiceFlagsBogus, is correct.


I used the commandline tool "delv" (from the bind package, see brew list bind|grep delv) and "dnsviz" (brew info dnsviz) to verify that the trust chain is indeed broken and that the DNSSEC status is therefore kDNSServiceFlagsBogus. So everything is working as it should - except the nameserver configuration.


Best regards,

Christian

Replies  4
Boosts  0
Views  1.2k
Participants  2
DTS Engineer OP
Apple
Feb ’18

I don’t know the answer to your question and it is too complex for me to research in the context of DevForums. If no one else chimes in, you should open a DTS tech support incident, which will allow me to spend the time required to investigate it properly.

Also, you you might try posting over on the bonjour-dev mailing list. There’s a bunch of folks with deep DNS experience lurking over there.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
0
cmittendorf OP
Feb ’18

Thanks for your reply! I followed your advice and created a DTS support incident with a demo project.


Regards

Christian

0
DTS Engineer OP
Apple
Feb ’18

Cool. It’s already been routed to my queue. I’m on vacation today but I should be able to get back to you officially tomorrow.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
0
cmittendorf OP
Feb ’18
Accepted Answer

Thanks for your support … but it is no longer necessary. My latest research on this issue showed, that the answer from dnssd that the DNSSEC validation is kDNSServiceFlagsBogus, is correct.


I used the commandline tool "delv" (from the bind package, see brew list bind|grep delv) and "dnsviz" (brew info dnsviz) to verify that the trust chain is indeed broken and that the DNSSEC status is therefore kDNSServiceFlagsBogus. So everything is working as it should - except the nameserver configuration.


Best regards,

Christian

0
DNSServiceQueryRecord and DNSSEC
First post date Last post date
 
 
Q