Yes, George, probably you right. DNSSEC is separate issue.
22.07.2019 22:21, George Thessalonikefs via Unbound-users пишет: > Hi Ray, > > It seems that cloudflare is using special subdomains (answered only from > their 1.1.1.1 resolvers) for the online checks and they are not handling > DNSSEC properly in regards to answers for these special subdomains. > Unbound is complaining about not being able to build a trust chain > because it can't get the DS information. > > I suspect that if you turn off DNSSEC validation on your unbound > module-config: "iterator" > the online check should work. Although I would advise to turn it on > again after you do the online check. > > And just to be clear, this does not mean that 1.1.1.1 cannot do DNSSEC. > I am only talking about the subdomains used for this specific online check. > > -- George > > On 22/07/2019 16:21, RayG via Unbound-users wrote: >> Hi Yuri, >> >> >> >> OK I see what was happening now. I can use either >> >> >> >> tls-cert-bundle: ”<file>” >> >> or >> >> tls-win-cert: yes >> >> >> >> or both >> >> >> >> So now I can see: >> >> >> >> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug: >> SSL connection to cloudflare-dns.com authenticated ip4 1.0.0.1 port 853 >> (len 16) >> >> >> >> So it looks like that bit is working OK but then when I go to: >> >> http://1.1.1.1/help >> >> to check that DNS over TLS is working it says “NO” >> >> >> >> Looking at the log file further I see this where things appear to be >> blacklisted (see below) I have attached the log file and it is from the >> start of the unbound service to the end of the query to >> http://1.1.1.1/help I then stopped the unbound server to flush the log. >> >> >> >> Any further insights would be helpful, thanks >> >> >> >> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] info: >> resolving >> 8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com. DS IN >> >> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug: >> request has dependency depth of 0 >> >> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] info: >> msg from cache lookup ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0 >> >> ;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 0 >> >> ;; QUESTION SECTION: >> >> 8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com. >> IN DS >> >> >> >> ;; ANSWER SECTION: >> >> >> >> ;; AUTHORITY SECTION: >> >> cloudflareresolve.com. 59 IN SOA >> cloudflareresolve.com. dns.cloudflare.com. 2018100101 21600 3600 604800 0 >> >> cloudflareresolve.com. 59 IN RRSIG SOA 13 2 3600 >> 20190730125237 20190722095237 64088 cloudflareresolve.com. >> TQObnCdfCziZUkBWjUaAUFeU0iXbC7QK9tMC59qJqYZa8ntTdOHCmuWgUgRvVtaLK/l3GhNk65Jr+wHzs3Qnhg== >> ;{id = 64088} >> >> 8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com. >> 60 IN NSEC >> \000.8946ae4B-99eC-4925-A951-078129AE2Afe.IS-cF.CLouDFlArerEsoLvE.Com. A >> HINFO TXT AAAA LOC SRV CERT SSHFP RRSIG NSEC TLSA HIP OPENPGPKEY SPF >> >> 8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com. >> 60 IN RRSIG NSEC 13 4 3600 20190730135835 >> 20190722105835 64088 cloudflareresolve.com. >> 1EhhluR/cdwni2q9HCdPmAazhlq/rwiOPAWytdeR8pPcNLjlpwphAoULC0tZ2BSZw2UC3P6vlgTHruBL+jpTRQ== >> ;{id = 64088} >> >> >> >> ;; ADDITIONAL SECTION: >> >> ;; MSG SIZE rcvd: 462 >> >> >> >> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug: >> msg ttl is 60, prefetch ttl 54 >> >> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug: >> returning answer from cache. >> >> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug: >> iter_handle processing q with state FINISHED RESPONSE STATE >> >> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] info: >> finishing processing for >> 8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com. DS IN >> >> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug: >> mesh_run: iterator module exit state is module_finished >> >> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug: >> validator[module 0] operate: extstate:module_wait_module >> event:module_event_moddone >> >> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] info: >> validator operate: query >> 8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com. DS IN >> >> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug: >> validator: nextmodule returned >> >> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug: >> not validating response, is valrec(validation recursion lookup) >> >> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug: >> mesh_run: validator module exit state is module_finished >> >> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] info: >> validator: inform_super, sub is >> 8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com. DS IN >> >> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] info: >> super is >> 8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com. A IN >> >> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] info: >> NSEC RRset for the referral proved not a delegation point >> >> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug: >> validator[module 0] operate: extstate:module_wait_subquery >> event:module_event_pass >> >> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] info: >> validator operate: query >> 8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com. A IN >> >> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug: >> val handle processing q with state VAL_FINDKEY_STATE >> >> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] info: >> validator: FindKey >> 8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com. A IN >> >> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug: >> Cannot retrieve DS for signature >> >> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug: >> val handle processing q with state VAL_FINISHED_STATE >> >> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug: >> validation failed, blacklist and retry to fetch data >> >> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug: >> blacklist ip4 1.1.1.1 port 853 (len 16) >> >> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug: >> blacklist ip4 1.0.0.1 port 853 (len 16) >> >> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug: >> blacklist cache >> >> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug: >> blacklist ip6 2606:4700:4700::1001 port 853 (len 28) >> >> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug: >> blacklist add ip6 2606:4700:4700::1111 port 853 (len 28) >> >> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug: >> blacklist add ip6 2606:4700:4700::1111 port 853 (len 28) >> >> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug: >> pass back to next module >> >> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug: >> mesh_run: validator module exit state is module_restart_next >> >> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug: >> iterator[module 1] operate: extstate:module_finished event:module_event_pass >> >> >> >> >> >> *From:*Yuri <[email protected]> >> *Sent:* 22 July 2019 13:41 >> *To:* [email protected]; [email protected] >> *Subject:* Re: Using DNS over TLS on windows >> >> >> >> >> >> 22.07.2019 18:38, [email protected] <mailto:[email protected]> >> пишет: >> >> Hi Yuri, >> >> >> >> Thanks for the config file very useful, but I still have the issue of: >> >> >> >> tls-cert-bundle: "C:\Squid\etc\squid\ca-bundle.crt" >> >> >> >> I do not have the file: "C:\Squid\etc\squid\ca-bundle.crt" on my system. >> >> Sure. This is my system-specific. :) >> >> In you case, you can download Mozilla's CA bundle from >> >> https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt >> >> and use it on similar manner (just specify correct path-to-file) on your >> setup. >> >> >> >> So my original question was were do I get that or a suitable file from? >> >> >> >> Regards >> >> Ray >> >> >> >> *From:*Yuri <[email protected]> <mailto:[email protected]> >> *Sent:* 21 July 2019 19:51 >> *To:* [email protected] <mailto:[email protected]> >> *Subject:* Re: Using DNS over TLS on windows >> >> >> >> Just an example from working Windows setup: >> >> # Unbound configuration file on windows. >> # See example.conf for more settings and syntax >> >> server: >> # verbosity level 0-4 of logging >> verbosity: 0 >> >> # if you want to log to a file use >> # logfile: "C:\unbound.log" >> >> # on Windows, this setting makes reports go into the Application log >> # found in ControlPanels - System tasks - Logs >> use-syslog: yes >> log-time-ascii: yes >> num-threads: 4 >> cache-max-ttl: 14400 >> cache-min-ttl: 900 >> cache-max-negative-ttl: 60 >> infra-host-ttl: 60 >> # root-hints: "C:\Program Files\Unbound\named.root" >> hide-identity: yes >> hide-version: yes >> hide-trustanchor: yes >> >> do-ip6: no >> >> tls-cert-bundle: "C:\Squid\etc\squid\ca-bundle.crt" >> tls-win-cert: yes >> tcp-upstream: yes >> >> harden-short-bufsize: yes >> harden-large-queries: yes >> harden-below-nxdomain: yes >> harden-algo-downgrade: yes >> # 1.5.7 feature. Yes recommended. >> # From 1.7.2 yes is default >> #qname-minimisation: yes >> aggressive-nsec: yes >> >> # select from the fastest servers this many times out of 1000. 0 >> means >> # the fast server select is disabled. prefetches are not sped up. >> # fast-server-permil: 0 >> fast-server-permil: 100 >> # the number of servers that will be used in the fast server >> selection. >> # fast-server-num: 3 >> fast-server-num: 4 >> >> unwanted-reply-threshold: 10000000 >> do-not-query-localhost: no >> prefetch: yes >> prefetch-key: yes >> rrset-roundrobin: yes >> minimal-responses: yes >> >> access-control: 0.0.0.0/0 refuse >> access-control: 127.0.0.0/8 allow_snoop >> access-control: ::0/0 refuse >> access-control: ::1 allow >> access-control: ::ffff:127.0.0.1 allow >> >> #include: "C:\Program Files\Unbound\unbound_local" >> include: "C:\Program Files\Unbound\unbound_ad_servers" >> >> # Remote control config section. >> remote-control: >> # Enable remote control with unbound-control(8) here. >> # set up the keys and certificates with unbound-control-setup. >> control-enable: yes >> control-use-cert: no >> >> forward-zone: >> name: "." >> # forward-addr: 208.67.222.222@53 <mailto:208.67.222.222@53> >> # forward-addr: 208.67.220.220@53 <mailto:208.67.220.220@53> >> forward-addr: 1.1.1.1@853#cloudflare-dns.com >> <mailto:1.1.1.1@853#cloudflare-dns.com> >> forward-addr: 1.0.0.1@853#cloudflare-dns.com >> <mailto:1.0.0.1@853#cloudflare-dns.com> >> forward-addr: 9.9.9.9@853#dns.quad9.net >> <mailto:9.9.9.9@853#dns.quad9.net> >> forward-addr: 149.112.112.112@853#dns.quad9.net >> <mailto:149.112.112.112@853#dns.quad9.net> >> forward-addr: 145.100.185.15@443#dnsovertls.sinodun.com >> <mailto:145.100.185.15@443#dnsovertls.sinodun.com> >> forward-addr: 145.100.185.16@443#dnsovertls1.sinodun.com >> <mailto:145.100.185.16@443#dnsovertls1.sinodun.com> >> forward-addr: 185.49.141.37@853#getdnsapi.net >> <mailto:185.49.141.37@853#getdnsapi.net> >> forward-addr: 89.233.43.71@853#unicast.censurfridns.dk >> <mailto:89.233.43.71@853#unicast.censurfridns.dk> >> forward-addr: 158.64.1.29@853#kaitain.restena.lu >> <mailto:158.64.1.29@853#kaitain.restena.lu> >> forward-addr: 145.100.185.18@853#dnsovertls3.sinodun.com >> <mailto:145.100.185.18@853#dnsovertls3.sinodun.com> >> forward-addr: 145.100.185.17@853#dnsovertls2.sinodun.com >> <mailto:145.100.185.17@853#dnsovertls2.sinodun.com> >> forward-addr: 199.58.81.218@853#dns.cmrg.net >> <mailto:199.58.81.218@853#dns.cmrg.net> >> forward-addr: 94.130.110.185@853#ns1.dnsprivacy.at >> <mailto:94.130.110.185@853#ns1.dnsprivacy.at> >> forward-addr: 94.130.110.178@853#ns2.dnsprivacy.at >> <mailto:94.130.110.178@853#ns2.dnsprivacy.at> >> forward-addr: 99.192.182.200@853#iana.tenta.io >> <mailto:99.192.182.200@853#iana.tenta.io> >> forward-addr: 99.192.182.201@853#iana.tenta.io >> <mailto:99.192.182.201@853#iana.tenta.io> >> forward-addr: 99.192.182.100@853#opennic.tenta.io >> <mailto:99.192.182.100@853#opennic.tenta.io> >> forward-addr: 99.192.182.101@853#opennic.tenta.io >> <mailto:99.192.182.101@853#opennic.tenta.io> >> forward-tls-upstream: yes >> >> # OpenDNS is NOT DNSSEC enabled >> server: auto-trust-anchor-file: "C:\Program Files\Unbound\root.key" >> ### >> >> 21.07.2019 21:37, RayG via Unbound-users пишет: >> >> Hi, >> >> >> >> |I have configured things so far but I get these errors and I >> think the reason is the “tls-cert-bundle” setting.| >> >> | | >> >> |16:10:16 C:\Program Files\Unbound\unbound.exe[1740:0] error: >> ssl handshake failed crypto error:1416F086:SSL >> routines:tls_process_server_certificate:certificate verify failed| >> >> |21/07/2019| >> >> | | >> >> |So to get this working I have to enable this setting:| >> >> | | >> >> |tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt| >> >> | | >> >> |That example would seem OK for a UNIX install but where/how do >> I configure this for windows?| >> >> | | >> >> |Can I use the windows certificate store? If so what would the >> entry read.| >> >> | | >> >> |Thanks| >> >> >> >> Regards >> >> Ray >> >> >> >> | | >> >> | | >> >> -- >> >> "C++ seems like a language suitable for firing other people's legs." >> >> >> >> ***************************** >> >> * C++20 : Bug to the future * >> >> ***************************** >> >> -- >> >> "C++ seems like a language suitable for firing other people's legs." >> >> >> >> ***************************** >> >> * C++20 : Bug to the future * >> >> ***************************** >> -- "C++ seems like a language suitable for firing other people's legs." ***************************** * C++20 : Bug to the future * *****************************
signature.asc
Description: OpenPGP digital signature
