I have also been looking at DNS SEC to understand how to use it to enhance my security. There are three operating modes:
- DNS-unware requester. Sets no bits, so they default to DO=0 (DNS SEC unaware) and CD=0 (Please check signatures for me.)
DNS-aware resolver. Checks the signatures, if valid, the resource record and AD=0 (no signature info) If invalid, returns a ServFail error, which causes the client to attempt the same query with an alternate DNS server. - DNS-aware requester without signature checking. Sets DO=1 (DNS OK) and CD=0 (Please check signatures for me.)
DNS-aware resolver. Checks the signatures, if valid, the resource record and AD=1 (signature checked) If invalid, returns a ServFail error, which causes the client to attempt the same query with an alternate DNS server. If no signature found, returns results and AD=0. - DNS-aware requester with signature checkings. Sets DO=1 (DNS OK) and CD=1 (Checkinig disabled.)
DNS aware resolver returns signature data as well as resource records. Flag AD=0 because the signatures have not been checked.
There may be a ServFail scenario if the signatures cannot be obtained.
Passing signatures might add a lot of traffic, especially if DNS SEC catches on much more than it has at present. So I would prefer to forward traffic to Google or CloudFlare and let them to the signature checking.
With the UTM "DNS SEC" option disabled, I expected DNS to behave like option 2. Instead, I find that it behaves like option 1, and when Google returns a ServFail error, it apparently fails over to the root servers and obtains the invalidated answer because nobody does signature checking.
I assume that if the UTM "DNS SEC" option is enabled, UTM will behave like option 3. However, I have not tested this because of overhead concerns, because of prior bad reports in this forum, and because of the help page warning that this may cause problems with internal DNS servers.
I am trying to obtain clarification through Sophos Support, but the answers have been slow coming.
This thread was automatically locked due to age.