From thozza at redhat.com Mon Feb 19 11:51:17 2018 From: thozza at redhat.com (Tomas Hozza) Date: Mon, 19 Feb 2018 12:51:17 +0100 Subject: [Dnssec-trigger] [PATCH] Port from NetworkManager-glib to NetworkManager-libnm Message-ID: <4c7716eb-f5ed-39aa-6978-08c947f868c4@redhat.com> Hello. In the Python dnssec-trigger-script, we currently use NetworkManager-glib API, which is obsolete and is going away in the future. The attached patch ports the script to use newer API from NetworkManager-libnm. It also simplifies things. Patch is based on code from https://github.com/NLnetLabs/dnssec-trigger master. Tested on Fedora 26 with dnssec-trigger 0.15. It works fine. Regards, Tomas -- Tomas Hozza Associate Manager, Software Engineering - EMEA ENG Core Services PGP: 1D9F3C2D UTC+1 (CET) Red Hat Inc. http://cz.redhat.com -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-dnssec-trigger-script-port-to-libnm.patch Type: text/x-patch Size: 3750 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xC5887AD51D9F3C2D.asc Type: application/pgp-keys Size: 21542 bytes Desc: not available URL: From wouter at nlnetlabs.nl Fri Feb 23 12:47:57 2018 From: wouter at nlnetlabs.nl (W.C.A. Wijngaards) Date: Fri, 23 Feb 2018 13:47:57 +0100 Subject: [Dnssec-trigger] [PATCH] Port from NetworkManager-glib to NetworkManager-libnm In-Reply-To: <4c7716eb-f5ed-39aa-6978-08c947f868c4@redhat.com> References: <4c7716eb-f5ed-39aa-6978-08c947f868c4@redhat.com> Message-ID: <282b1feb-b468-4524-b5ea-21c556538cfa@nlnetlabs.nl> Hi Tomas, On 19/02/18 12:51, Tomas Hozza wrote: > Hello. > > In the Python dnssec-trigger-script, we currently use NetworkManager-glib API, which is obsolete and is going away in the future. The attached patch ports the script to use newer API from NetworkManager-libnm. It also simplifies things. Patch is based on code from https://github.com/NLnetLabs/dnssec-trigger master. > > Tested on Fedora 26 with dnssec-trigger 0.15. It works fine. Thanks! It was applied. Best regards, Wouter > > Regards, > Tomas > > > > _______________________________________________ > dnssec-trigger mailing list > dnssec-trigger at NLnetLabs.nl > https://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From wouter at nlnetlabs.nl Mon Feb 26 13:49:39 2018 From: wouter at nlnetlabs.nl (W.C.A. Wijngaards) Date: Mon, 26 Feb 2018 14:49:39 +0100 Subject: [Dnssec-trigger] uk.uk. failing probes In-Reply-To: <9d45dfdb-993f-d895-b48d-d1d8c0c87f08@redhat.com> References: <205b5666-293f-b306-1437-9f27d441f799@redhat.com> <3b896db6-cd65-2f7c-ca0e-42b91785bead@nlnetlabs.nl> <9d45dfdb-993f-d895-b48d-d1d8c0c87f08@redhat.com> Message-ID: Hi Petr, I fixed it so that it allows type NXDOMAIN for the answer. That should make the probes work. The uk.uk. domain changed it's answers, but they are still NSEC3 answers, so we can continue to use that, but the code now allows the rcode NXDOMAIN as well. Index: riggerd/probe.c =================================================================== --- riggerd/probe.c (revision 762) +++ riggerd/probe.c (working copy) @@ -490,7 +490,8 @@ } /* does DNS work? */ - if(ldns_pkt_get_rcode(p) != LDNS_RCODE_NOERROR) { + if(ldns_pkt_get_rcode(p) != LDNS_RCODE_NOERROR && + ldns_pkt_get_rcode(p) != LDNS_RCODE_NXDOMAIN) { char* r = ldns_pkt_rcode2str(ldns_pkt_get_rcode(p)); snprintf(reason, sizeof(reason), "no answer, %s", r?r:"(out of memory)"); Best regards, Wouter On 31/01/18 13:53, Petr Men??k wrote: > Hello Wouter, > > sure, that check there is there for negative answer. However it does > require different negative answer than it gets for uk.uk. It should > receive NOERROR response, but it does receive NXDOMAIN. That is received > because dig -t NS uk.uk. will return NXDOMAIN as well. > > This way, I get sometime results of > > $ dnssec-trigger-control status > cache : error no answer, NXDOMAIN > cache : OK > state: cache secure > > And only NS2 is used then as secure forwarder. If I had only single > resolver or had bad luck and it tried uk.uk on both resolvers, it would > disable DNSSEC on well working resolvers. > > $ unbound-control list_forwards > . IN forward > > Because it uses workaround with public resolver, it might not be visible > right away. In our office are blocked direct DNS requests to internet, > so such failure is much more visible. > > This is somehow reproducible if you know where to look. It has 25% > probability to show up. > > The response it receives on my system is this: > 2018-01-29T11:12:35+0100 dnssec-triggerd[1461]: [1461] debug: ;; > ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 12668 > ;; flags: qr rd cd ra ; > QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 0 > ;; QUESTION SECTION: > ;; _probe.uk.uk. > IN NULL > > ;; ANSWER SECTION: > > ;; AUTHORITY SECTION: > uk. 10778 > IN SOA dns1.nic.uk. hostmaster.nic.uk. 1403554870 7200 900 > 2419200 10800 > uk. 10778 > IN RRSIG SOA 8 1 172800 20180212101015 20180129091015 > 43056 uk. > j4KTNjHJyIFpicmDExTyFslOxTH2ayaOop76x3Y6K4m9CWxbM7J9yK+Mzj1iHRxtKvXxUqArrPxcPmzZaJxhqVgj4mf9b6MOrxbMY4tyCve9USQLW+Fm3JY0fX32Z9VCSH6zJOMG8b5xyUDmQ36/hNv8GFfbwbaydO0KVQD5wNA= > > 4ICKPJJH422NL4DM0IM88FT62R1ICF2D.uk. 10778 IN RRSIG > NSEC3 8 2 10800 20180211232933 20180128225448 43056 uk. > j7VNrDP5MEqUmnvGtZ/PQf1iFWANsaQhIR3tJCZO8yJrZ6YmJn16wD27RblZgNcRU1PoCPNeBSiolhw/Ww5wVT3PlSeI97Oa/KP30mYYxr4Wqsjp+o7rDZEUzVY6lWBgKOBWz65JBjcQOi+Jabgyjm4xUjW6nIiUF5ORoCKRo18= > > 4ICKPJJH422NL4DM0IM88FT62R1ICF2D.uk. 10778 IN NSEC3 > 1 1 0 - 4ij9nhvbedk84b1ologpt9tgjj8127bm NS DS RRSIG > > U1FMKLFV3RDCNAMDC64SEKGCDP05BBIU.uk. 10778 IN RRSIG > NSEC3 8 2 10800 20180212063306 20180129055822 43056 uk. > KPDys4kmQVz2rG0Dk5MlYEi0A1CUREUK+gTqLd4DLDx4Lox0Ia/FY1c28Izr7hFL8GuOkFHoCMYE1IpzcorBQJ/ivQKkFlP5ibuvU70VsOvbpVYc5e3dizdgQZbeaenU0u5mRN4Jlxl9nTQyhuyLfpoJkBGAUYrifytMy++2WVc= > > U1FMKLFV3RDCNAMDC64SEKGCDP05BBIU.uk. 10778 IN NSEC3 > 1 1 0 - u1lg7j6jo1nfsu55lon2umgeujo912tu NS SOA RRSIG DNSKEY > NSEC3PARAM TYPE65534 > > UJ0TSI3JRONDQNT57QK2BP4O3EEIUVNS.uk. 10778 IN RRSIG > NSEC3 8 2 10800 20180212081816 20180129080542 43056 uk. > S+CI+50V3P3P0odOqrHFM9UqciqZV14PE5DhcYizFw0zdF0M2vpFUM9inJEUcsrI5H+vlcu0w7/itlf0IWTa3EHKDg/FgKStf5azJSOFGyQ8HI+bZ7r6U694dBut4Lvs3jZOtx77L0yMjZxNBxOQhFS2IQVelQvJQz8ID9ux6eI= > > UJ0TSI3JRONDQNT57QK2BP4O3EEIUVNS.uk. 10778 IN NSEC3 > 1 1 0 - ujigh3977hiahq1bj8659m81tf4etiko NS DS RRSIG > > ;; ADDITIONAL SECTION: > > ;; Query time: 0 msec > ;; EDNS: version 0; > flags: do ; udp: 4096 > ;; WHEN: Thu Jan 1 > 01:00:00 1970 > ;; MSG SIZE rcvd: 1017 > 2018-01-29T11:12:35+0100 dnssec-triggerd[1461]: [1461] debug: close fd 11 > 2018-01-29T11:12:35+0100 dnssec-triggerd[1461]: [1461] debug: probe NS1: > failed: no answer, NXDOMAIN in NSEC3 > > > However NS2 receives different response: > 2018-01-29T11:12:35+0100 dnssec-triggerd[1461]: [1461] debug: ;; > ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 2430 > ;; flags: qr rd cd ra ; > QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 0 > ;; QUESTION SECTION: > ;; _probe.uk.com. > IN NULL > > ;; ANSWER SECTION: > > ;; AUTHORITY SECTION: > uk.com. 3600 > IN SOA ns0.centralnic.net. hostmaster.centralnic.net. > 3000449728 900 1800 6048000 3600 > uk.com. 3600 > IN RRSIG SOA 7 2 3600 20180228193951 20180129080110 8049 > uk.com. > LX/kFnpgfi2EZoeu74+kh9HyAaaA8aI9COoAXWFGRSjp1O3SdkjxWQ0aB7gB4B+03Z/ypDc3CGSb0KjPoxmDrgjhdNjtvfdlgqA3GbTFf4F4B4Bvhf9t2Iag5yNDcs1Rz2EiQpPVa5V/UwTR28FJ7tkAUCRyagy4XlZ4htxlKGY= > > t03nh0mhqgpsfg2luej9fs5l3lg37ptk.uk.com. 3600 IN > RRSIG NSEC3 7 3 3600 20180223084924 20180123220429 8049 uk.com. > urIQGlPD9o9GQ4wLNbzbgcdNgY6y9isrXpM1yM1yRxA9lPcQpN2Kk0gF0b6VYd/5QBd6UQA0Bt7nobOhpQIkLzDSH1rAkbreUGJWV4qSk/wKi5Ce2JlOBO4M7PDGMjuBS4Og5QWzunI2SmbORM9pVs5qMfzPDRqWvCGG7c0KfZA= > > t03nh0mhqgpsfg2luej9fs5l3lg37ptk.uk.com. 3600 IN > NSEC3 1 1 1 - t1g0ocvb4l8vpe39r869hutldjee9cql > > ;; ADDITIONAL SECTION: > > ;; Query time: 0 msec > ;; EDNS: version 0; > flags: do ; udp: 4096 > ;; WHEN: Thu Jan 1 > 01:00:00 1970 > ;; MSG SIZE rcvd: 510 > 2018-01-29T11:12:35+0100 dnssec-triggerd[1461]: [1461] debug: close fd 8 > 2018-01-29T11:12:35+0100 dnssec-triggerd[1461]: [1461] debug: probe NS2: > NSEC3 completed successfully > > > Dne 23.1.2018 v 12:28 W.C.A. Wijngaards napsal(a): >> Hi Petr, >> >> On 23/01/18 12:17, Petr Men??k wrote: >>> Hello, >>> >>> I just tried new 0.15 dnssec-trigger. Once again there is problem with >>> domain chosen to make probes. >>> >>> $ dig @dns2.nic.uk. +norec +dnssec -t SOA uk.uk. >>> >>> returns NXDOMAIN. >> >> Yes, that is why it is there. To get an NSEC3 response. >> >>> >>> For that reason, gen_random_nsec3_dest probe "_probe.uk.uk." will always >>> fail if chosen. Manual dnssec-trigger-control reprobe might be required. >> >> No, it works to get an NSEC3 response. >> >>> >>> My question is same as the last time. How were that domains chosen? >> >> At random. > I did not think how is selected one from that array. I know it is > random. My question was more about how well were chosen values inside > that array. It seems to me it might be useful to make them configurable. >> >>> >>> I found it cannot be even registered again: >>> https://www.nominet.uk/whois/?query=uk.uk#whois-results >> >> That is a good reason to have picked it; i.e. no registerable domain to >> elicit NXDOMAIN responses. > No it is not, unless code is changed to handle this situation correctly. > Yes, it receive NSEC3 there. That is quite good. It is however for > unexpected zone, just uk. That is not handled by dnssec-trigger as > valid. I am not sure it should be in this case. >> >>> >>> Have been domain owners asked it is ok to use their domains? >> >> No, but if they wouldn't like it, we would of course pick some other >> NXDOMAIN response. > I am asking this, because there was similar issue with kr.com domain, > where it removed support for DNSSEC. > > Why isn't there any nlnetlabs domains? Is that because of anonymity? It > seems to me administrators of resolvers can guess I am using > dnssec-trigger from such queries. It would make sense to me to use some > domains, whose owners are aware of dnssec-trigger is using it. >> >> Best regards, Wouter >> >> >> >> >> _______________________________________________ >> dnssec-trigger mailing list >> dnssec-trigger at NLnetLabs.nl >> https://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger >> > > > > _______________________________________________ > dnssec-trigger mailing list > dnssec-trigger at NLnetLabs.nl > https://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: