We use RPZ to block malicious domain names. Specifically, we redirect to
a landing page. Our landing page (landingpage.ph.rpz.switch.ch) is
DNSSEC signed. However, if I get a RPZ response from our validating dns
resolver it omits any RRSIG. Example:
dig @<resolver> www.oyubaimai[.]top +dnssec
; <<>> DiG 9.11.0rc1 <<>> @<resolver> www.oyubaimai[.]top +dnssec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52312
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 4442932ac258891044299f27585cf4bf66cb7f09a55cc096 (good)
;; QUESTION SECTION:
;www.oyubaimai[.]top. IN A
;; ANSWER SECTION:
www.oyubaimai[.]top. 5 IN CNAME landingpage.ph.rpz.switch.ch.
landingpage.ph.rpz.switch.ch. 86400 IN A 184.108.40.206
;; AUTHORITY SECTION:
switch.ch. 3463 IN NS nsa-p.dnsnode.net.
switch.ch. 3463 IN NS ns2.switch.ch.
switch.ch. 3463 IN NS scsnms.switch.ch.
;; ADDITIONAL SECTION:
ns2.switch.ch. 3463 IN AAAA 2001:620:0:ff::2f
scsnms.switch.ch. 3463 IN AAAA 2001:620:0:ff::a7
ns2.switch.ch. 3463 IN A 220.127.116.11
scsnms.switch.ch. 3463 IN A 18.104.22.168
Note, our BIND RPZ configuration does not use "break-dnssec yes" (it
does not matter in this case). www.oyubaimai[.]top is not DNSSEC signed.
landingpage.ph.rpz.switch.ch is DNSSEC signed.
Our DNS resolvers are not only used by stub resolvers but by DNS
resolvers using DNS forwarding as well. I wonder what happens if DNS
forwarding resolvers do DNSSEC validation? It looks like they would
return SERVFAIL to the user as the RPZ response omits any RRSIG for the
Is this a BIND bug or a side effect of RPZ? As a work around, I could
leave rpz.switch.ch unsigned to work around this problem.