Re: Some sites not resolving (DNSSEC?)

[Petr Špaček via Unbound-users]

On 23.5.2018 15:58, Petr Špaček via Unbound-users wrote:

On 23.5.2018 15:46, W.C.A. Wijngaards via Unbound-users wrote:

Hi Hank,

On 23/05/18 15:23, Hank Barta via Unbound-users wrote:

Hi all,
I use pfsense for my firewall and have selected the unbound resolver for
DNS on my home LAN. I have configured this to use Cloudflare DNS with
DNSSEC enabled.  In addition to checking the "Enable DNSSEC Support"
checkbox on the DNS Resolver configuration page I have added the custom
options


The 1.1.1.1 server responds without DNSSEC for coder.show DS queries.
And for an insecure referral it needs DS denial information for type DS,
eg. the NSEC or NSEC3 from the .show TLD.

Without the forward to 1.1.1.1 it works fine for me.  So it doesn't seem
to be the .show TLD or coder.show site, but the 1.1.1.1 unsigned CNAME
for qtype DS.

A workaround is domain-insecure: "coder.show" in unbound.conf


This is most likely a bug in Knot Resolver and we are working on fix:
https://gitlab.labs.nic.cz/knot/knot-resolver/issues/359


For the record:
We found out that domain coder.show is misconfigured in a way which 
breaks even 30 years old DNS standards.


See this:

$ dig +dnssec @ns2.hover.com. coder.show DS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50641
;; flags: qr rd; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;coder.show.IN  DS

;; ANSWER SECTION:
coder.show. 900 IN  CNAME   hosted.fireside.fm.


$ dig +dnssec @ns2.hover.com. coder.show NS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24968
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2

;; QUESTION SECTION:
;coder.show.IN  NS

;; ANSWER SECTION:
coder.show. 900 IN  NS  ns2.hover.com.
coder.show. 900 IN  NS  ns1.hover.com.


I.e. this domain has CNAME at the apex which is violation of DNS 
standards, namely

https://tools.ietf.org/html/rfc1034#section-3.6.2

Please contact domain owner and ask for a fix. (It seems that all the 
domains mentioned in the ticket have the same issue.)


It might work elsewhere but this is not guaranteed (i.e. works 
accidentally).


Thank you for understanding.

--
Petr Špaček  @  CZ.NIC

Re: Some sites not resolving (DNSSEC?)

[Havard Eidnes via Unbound-users]

> This generally seems to work except for several hosts from which I try to
> fetch podcasts. One of these is coder.show.

Just a note,

 http://dnsviz.net/d/coder.show/dnssec/

shows several warnings related to coder.show -- apparently the
auth name servers reply with CNAME *and* other data for the zone
apex, and they also fail to respond with an EDNS0 OPT record.

Regards,

- Håvard

Re: Some sites not resolving (DNSSEC?)

[Hank Barta via Unbound-users]

Thanks for looking into this. I have added some other sites that also
present this problem to the issue.

best,
hank

On Wed, May 23, 2018 at 8:58 AM, Petr Špaček via Unbound-users <
unbound-users@unbound.net> wrote:

> On 23.5.2018 15:46, W.C.A. Wijngaards via Unbound-users wrote:
>
>> Hi Hank,
>>
>> On 23/05/18 15:23, Hank Barta via Unbound-users wrote:
>>
>>> Hi all,
>>> I use pfsense for my firewall and have selected the unbound resolver for
>>> DNS on my home LAN. I have configured this to use Cloudflare DNS with
>>> DNSSEC enabled.  In addition to checking the "Enable DNSSEC Support"
>>> checkbox on the DNS Resolver configuration page I have added the custom
>>> options
>>>
>>
>> The 1.1.1.1 server responds without DNSSEC for coder.show DS queries.
>> And for an insecure referral it needs DS denial information for type DS,
>> eg. the NSEC or NSEC3 from the .show TLD.
>>
>> Without the forward to 1.1.1.1 it works fine for me.  So it doesn't seem
>> to be the .show TLD or coder.show site, but the 1.1.1.1 unsigned CNAME
>> for qtype DS.
>>
>> A workaround is domain-insecure: "coder.show" in unbound.conf
>>
>
> This is most likely a bug in Knot Resolver and we are working on fix:
> https://gitlab.labs.nic.cz/knot/knot-resolver/issues/359
>
> --
> Petr Špaček  @  CZ.NIC
>



-- 
'03 BMW F650CS - hers
'98 Dakar K12RS - "BABY K" grew up.
'93 R100R w/ Velorex 700 (MBD starts...)
'95 Miata - "OUR LC"
polish visor: apply squashed bugs, rinse, repeat
Beautiful Sunny Winfield, Illinois

Re: Some sites not resolving (DNSSEC?)

[Petr Špaček via Unbound-users]

On 23.5.2018 15:46, W.C.A. Wijngaards via Unbound-users wrote:

Hi Hank,

On 23/05/18 15:23, Hank Barta via Unbound-users wrote:

Hi all,
I use pfsense for my firewall and have selected the unbound resolver for
DNS on my home LAN. I have configured this to use Cloudflare DNS with
DNSSEC enabled.  In addition to checking the "Enable DNSSEC Support"
checkbox on the DNS Resolver configuration page I have added the custom
options


The 1.1.1.1 server responds without DNSSEC for coder.show DS queries.
And for an insecure referral it needs DS denial information for type DS,
eg. the NSEC or NSEC3 from the .show TLD.

Without the forward to 1.1.1.1 it works fine for me.  So it doesn't seem
to be the .show TLD or coder.show site, but the 1.1.1.1 unsigned CNAME
for qtype DS.

A workaround is domain-insecure: "coder.show" in unbound.conf


This is most likely a bug in Knot Resolver and we are working on fix:
https://gitlab.labs.nic.cz/knot/knot-resolver/issues/359

--
Petr Špaček  @  CZ.NIC

Re: Some sites not resolving (DNSSEC?)

[W.C.A. Wijngaards via Unbound-users]

Hi Hank,

On 23/05/18 15:23, Hank Barta via Unbound-users wrote:
> Hi all,
> I use pfsense for my firewall and have selected the unbound resolver for
> DNS on my home LAN. I have configured this to use Cloudflare DNS with
> DNSSEC enabled.  In addition to checking the "Enable DNSSEC Support"
> checkbox on the DNS Resolver configuration page I have added the custom
> options

The 1.1.1.1 server responds without DNSSEC for coder.show DS queries.
And for an insecure referral it needs DS denial information for type DS,
eg. the NSEC or NSEC3 from the .show TLD.

Without the forward to 1.1.1.1 it works fine for me.  So it doesn't seem
to be the .show TLD or coder.show site, but the 1.1.1.1 unsigned CNAME
for qtype DS.

A workaround is domain-insecure: "coder.show" in unbound.conf

Best regards, Wouter


;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
coder.show. IN  DS

;; ANSWER SECTION:
coder.show. 437 IN  CNAME   hosted.fireside.fm.

;; AUTHORITY SECTION:
fireside.fm.3600IN  SOA cory.ns.cloudflare.com.
dns.cloudflare.com. 2027772252 1 2400 604800 3600

;; ADDITIONAL SECTION:
;; MSG SIZE  rcvd: 122


>     server:
>     forward-zone:
>     name: "."
>     forward-ssl-upstream: yes
>     forward-addr: 1.1.1.1@853
>     forward-addr: 1.0.0.1@853
> 
> (full configuration at the link below.)
> 
> This generally seems to work except for several hosts from which I try
> to fetch podcasts. One of these is coder.show. I have bumped logging for
> unbound one level and collected the log for this host and which can be
> viewed at
> https://docs.google.com/document/d/1oPUpRzIdANfuUuU7ljXNts1cR79FxBul099lbcBwE54/edit?usp=sharing
> 
> 
> The last several lines are (oldest last)
> May 20 10:34:52 info: Could not establish a chain of trust to keys for
> coder.show. DNSKEY IN
> May 20 10:34:52info: query response was nodata ANSWER
> May 20 10:34:52 info: reply from <.> 1.1.1.1#853
> 
> Other information: Even though none of the other hosts on my LAN can
> resolve this name, it is resolved by the diagnostic page on pfsense.
> 
> If I check the name at https://dnslookup.org/coder.show/A/#dnssec it
> reports that the "Result is Insecure." However I get the same result for
> google.com  and it resolves w/out difficulty on my
> LAN. I'm not familiar with all of the information on this page but one
> thing that caught my attention was the query to ns2.hover.com
> . The AUTHORITY section seems to show a bunch of
> queries that return no data. Does this indicate a missing certificate?
> 
> Any suggestions for fixing this are most welcome!
> 
> thanks,
> hank
> 
> -- 
> '03 BMW F650CS - hers
> '98 Dakar K12RS - "BABY K" grew up.
> '93 R100R w/ Velorex 700 (MBD starts...)
> '95 Miata - "OUR LC"
> polish visor: apply squashed bugs, rinse, repeat
> Beautiful Sunny Winfield, Illinois




signature.asc
Description: OpenPGP digital signature