With DNSSEC and global forwarding enabled, a Windows Server DNS resolver seems to sometimes (on higher query loads) ignore the “forward-only” configuration and starts resolving DS- and DNSKEY-records directly (without forwarding).
This breaks DNSSEC validation in cases where a firewall only allows DNS communication between the Windows DNS resolver and the Forwarding-Server. Seen on Windows 2016 / 2019.
Does anyone confirm this issue? Is it an implementation bug?
#WindowsServer #DNS #DNSSEC
Carsten Strotmann /
npub14a…hvj5s
2023-05-12 06:10:43
Author Public Key
npub14a589zvw3wchjmhr9ex3m82fkd0fwcn5rnalfna9d89q7985zf8sehvj5sPublished at
2023-05-12 06:10:43Event JSON
{
"id": "31ecdb4dfd5b372ca104bf00750c4ceb17c886cdf265aa8bc13deaa523caf517",
"pubkey": "af6872898e8bb1796ee32e4d1d9d49b35e9762741cfbf4cfa569ca0f14f4124f",
"created_at": 1683871843,
"kind": 1,
"tags": [
[
"t",
"windowsserver"
],
[
"t",
"dns"
],
[
"t",
"dnssec"
],
[
"mostr",
"https://mastodon.social/users/cstrotm/statuses/110354225116677825"
]
],
"content": "With DNSSEC and global forwarding enabled, a Windows Server DNS resolver seems to sometimes (on higher query loads) ignore the “forward-only” configuration and starts resolving DS- and DNSKEY-records directly (without forwarding). \n\nThis breaks DNSSEC validation in cases where a firewall only allows DNS communication between the Windows DNS resolver and the Forwarding-Server. Seen on Windows 2016 / 2019.\n\nDoes anyone confirm this issue? Is it an implementation bug?\n\n#WindowsServer #DNS #DNSSEC",
"sig": "3ff136620c4225540aec1a7dbb4a4845a4f73aef7f57e9c5a4306be436338c18a32a0db65cff5afa091f92d380457766a798807e2a087bb0251e4b36bdc6c990"
}