[GH-ISSUE #2193] `hickory-dns` resolver does not honor the DO bit in client's queries #916

New issue

Closed

opened 2026-03-16 00:52:12 +03:00 by kerem · 2 comments

kerem commented

2026-03-16 00:52:12 +03:00

Owner

Originally created by @japaric on GitHub (Apr 24, 2024).
Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/2193

Describe the bug
What the title says. This causes +dnssec queries like dig +dnssec +noadflag SOA . to NOT return any DNSSEC record (NOTE: +noadflag tells the server that DNSSEC validation is not desired)

Furthermore hickory-dns does not set the DO in the queries that it sends out on behalf of a client thus not fulfilling the requirement in section 3.2.1 of RFC4035 (emphasis mine)

The resolver side of a security-aware recursive name server MUST set the DO bit when sending requests, regardless of the state of the DO bit in the initiating request received by the name server side.

Other DNS resolvers like BIND's named and unbound fulfill this requirement regardless of whether DNSSEC validation is enabled / enforced or not.

To Reproduce
Steps to reproduce the behavior:

Build hickory-dns with the following Cargo features: dnssec-openssl,recursor
Run hickory-dns with this configuration

named.toml

[[zones]]
zone = "."
zone_type = "Hint"
stores = { type = "recursor", roots = "/tmp/root.hints" }

download https://www.internic.net/domain/named.root into /tmp/root.hints

perform the query dig -p $PORT @127.0.0.1 +dnssec +noadflag SOA .

(..)
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
(..)
;; ANSWER SECTION:
.			86400	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2024042400 1800 900 604800 86400

Expected behavior
The answer should have included DNSSEC records like RRSIG records. For example, unbound responds with

(..)
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
(..)
;; ANSWER SECTION:
.			86400	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2024042400 1800 900 604800 86400
.			86400	IN	RRSIG	SOA 8 0 86400 20240507050000 20240424040000 5613 . (.. omitted signature ..)

unbound.conf

server:
    verbosity: 4
    directory: /tmp/unbound
    use-syslog: no
    username: ""
    chroot: ""
    interface: 127.0.0.1
    port: 1053
    access-control: 127.0.0.1/16 allow

System:

OS: Debian (Linux)
Architecture: x86_64
Version rust:1-slim-bookworm (Docker image)
rustc version: 1.77.2

Version:
Crate: hickory-dns
Version: 6334a014

Additional context
A test of the RFC requirement, that does not require internet access, can be found in the dnssec-tests repo

Originally created by @japaric on GitHub (Apr 24, 2024). Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/2193 **Describe the bug** What the title says. This causes `+dnssec` queries like `dig +dnssec +noadflag SOA .` to NOT return any DNSSEC record (NOTE: `+noadflag` tells the server that DNSSEC validation is *not* desired) Furthermore hickory-dns does not set the DO in the queries that it sends out on behalf of a client thus not fulfilling the requirement in section 3.2.1 of RFC4035 (emphasis mine) > The resolver side of a security-aware recursive name server MUST set the DO bit when sending requests, *regardless of the state of the DO bit in the initiating request* received by the name server side. Other DNS resolvers like BIND's `named` and `unbound` fulfill this requirement regardless of whether DNSSEC *validation* is enabled / enforced or not. **To Reproduce** Steps to reproduce the behavior: 1. Build `hickory-dns` with the following Cargo features: `dnssec-openssl,recursor` 2. Run `hickory-dns` with this configuration - `named.toml` ``` toml [[zones]] zone = "." zone_type = "Hint" stores = { type = "recursor", roots = "/tmp/root.hints" } ``` - download <https://www.internic.net/domain/named.root> into `/tmp/root.hints` 3. perform the query `dig -p $PORT @127.0.0.1 +dnssec +noadflag SOA .` ``` text (..) ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 (..) ;; ANSWER SECTION: . 86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2024042400 1800 900 604800 86400 ``` **Expected behavior** The answer should have included DNSSEC records like RRSIG records. For example, `unbound` responds with ``` console (..) ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 (..) ;; ANSWER SECTION: . 86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2024042400 1800 900 604800 86400 . 86400 IN RRSIG SOA 8 0 86400 20240507050000 20240424040000 5613 . (.. omitted signature ..) ``` <details> <summary>unbound.conf</summary> ``` text server: verbosity: 4 directory: /tmp/unbound use-syslog: no username: "" chroot: "" interface: 127.0.0.1 port: 1053 access-control: 127.0.0.1/16 allow ``` </details> **System:** - OS: Debian (Linux) - Architecture: x86_64 - Version `rust:1-slim-bookworm` (Docker image) - rustc version: 1.77.2 **Version:** Crate: `hickory-dns` Version: 6334a014 **Additional context** A test of the RFC requirement, that does not require internet access, can be found in [the dnssec-tests repo](https://github.com/ferrous-systems/dnssec-tests/blob/6189787d9f78c96525ba27d9eb3fb0e08b290fc5/packages/conformance-tests/src/resolver/dnssec/rfc4035/section_4/section_4_1.rs#L42)