DNSServiceQueryRecord and DNSSEC

Hi there,


I'm currently working on the network part of my appliation where I require a DNS response being validated using DNSSEC. I use DNSServiceQueryRecord for the query and

kDNSServiceFlagsValidate
as a flag parameter.


However, I want to query for DNSServiceType 52, a type which isn't defined in the header.


The callback is called correctly, but the validation result does always contain:

kDNSServiceFlagsBogus.


The documentation says:


If the response cannot be verified to be secure due to expired signatures, missing signatures, and so on, then the results are considered to be bogus.


How can I find out more information about the error (RFC 4033 has some information for the "bogus" response)? How should I treat the 'bogus' response? The dnssd API describes the following four result codes:


  • kDNSServiceFlagsSecure - The response has been validated by verifying all the signature …
  • kDNSServiceFlagsInsecure - A chain of trust cannot be built …
  • kDNSServiceFlagsBogus - If the response cannot be verified to be secure due …
  • kDNSServiceFlagsIndeterminate - There is no valid trust anchor that can be used …


Regards,

Christian

Accepted Reply

Thanks for your support … but it is no longer necessary. My latest research on this issue showed, that the answer from dnssd that the DNSSEC validation is kDNSServiceFlagsBogus, is correct.


I used the commandline tool "delv" (from the bind package, see brew list bind|grep delv) and "dnsviz" (brew info dnsviz) to verify that the trust chain is indeed broken and that the DNSSEC status is therefore kDNSServiceFlagsBogus. So everything is working as it should - except the nameserver configuration.


Best regards,

Christian

Replies

I don’t know the answer to your question and it is too complex for me to research in the context of DevForums. If no one else chimes in, you should open a DTS tech support incident, which will allow me to spend the time required to investigate it properly.

Also, you you might try posting over on the bonjour-dev mailing list. There’s a bunch of folks with deep DNS experience lurking over there.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thanks for your reply! I followed your advice and created a DTS support incident with a demo project.


Regards

Christian

Cool. It’s already been routed to my queue. I’m on vacation today but I should be able to get back to you officially tomorrow.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thanks for your support … but it is no longer necessary. My latest research on this issue showed, that the answer from dnssd that the DNSSEC validation is kDNSServiceFlagsBogus, is correct.


I used the commandline tool "delv" (from the bind package, see brew list bind|grep delv) and "dnsviz" (brew info dnsviz) to verify that the trust chain is indeed broken and that the DNSSEC status is therefore kDNSServiceFlagsBogus. So everything is working as it should - except the nameserver configuration.


Best regards,

Christian