[Dnssec-trigger] uk.uk. failing probes
W.C.A. Wijngaards
wouter at nlnetlabs.nl
Mon Feb 26 13:49:39 UTC 2018
Hi Petr,
I fixed it so that it allows type NXDOMAIN for the answer. That should
make the probes work. The uk.uk. domain changed it's answers, but they
are still NSEC3 answers, so we can continue to use that, but the code
now allows the rcode NXDOMAIN as well.
Index: riggerd/probe.c
===================================================================
--- riggerd/probe.c (revision 762)
+++ riggerd/probe.c (working copy)
@@ -490,7 +490,8 @@
}
/* does DNS work? */
- if(ldns_pkt_get_rcode(p) != LDNS_RCODE_NOERROR) {
+ if(ldns_pkt_get_rcode(p) != LDNS_RCODE_NOERROR &&
+ ldns_pkt_get_rcode(p) != LDNS_RCODE_NXDOMAIN) {
char* r = ldns_pkt_rcode2str(ldns_pkt_get_rcode(p));
snprintf(reason, sizeof(reason), "no answer, %s",
r?r:"(out of memory)");
Best regards, Wouter
On 31/01/18 13:53, Petr Menšík wrote:
> Hello Wouter,
>
> sure, that check there is there for negative answer. However it does
> require different negative answer than it gets for uk.uk. It should
> receive NOERROR response, but it does receive NXDOMAIN. That is received
> because dig -t NS uk.uk. will return NXDOMAIN as well.
>
> This way, I get sometime results of
>
> $ dnssec-trigger-control status
> cache <NS1>: error no answer, NXDOMAIN
> cache <NS2>: OK
> state: cache secure
>
> And only NS2 is used then as secure forwarder. If I had only single
> resolver or had bad luck and it tried uk.uk on both resolvers, it would
> disable DNSSEC on well working resolvers.
>
> $ unbound-control list_forwards
> . IN forward <NS2>
>
> Because it uses workaround with public resolver, it might not be visible
> right away. In our office are blocked direct DNS requests to internet,
> so such failure is much more visible.
>
> This is somehow reproducible if you know where to look. It has 25%
> probability to show up.
>
> The response it receives on my system is this:
> 2018-01-29T11:12:35+0100 dnssec-triggerd[1461]: [1461] debug: ;;
> ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 12668
> ;; flags: qr rd cd ra ;
> QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 0
> ;; QUESTION SECTION:
> ;; _probe.uk.uk.
> IN NULL
>
> ;; ANSWER SECTION:
>
> ;; AUTHORITY SECTION:
> uk. 10778
> IN SOA dns1.nic.uk. hostmaster.nic.uk. 1403554870 7200 900
> 2419200 10800
> uk. 10778
> IN RRSIG SOA 8 1 172800 20180212101015 20180129091015
> 43056 uk.
> j4KTNjHJyIFpicmDExTyFslOxTH2ayaOop76x3Y6K4m9CWxbM7J9yK+Mzj1iHRxtKvXxUqArrPxcPmzZaJxhqVgj4mf9b6MOrxbMY4tyCve9USQLW+Fm3JY0fX32Z9VCSH6zJOMG8b5xyUDmQ36/hNv8GFfbwbaydO0KVQD5wNA=
>
> 4ICKPJJH422NL4DM0IM88FT62R1ICF2D.uk. 10778 IN RRSIG
> NSEC3 8 2 10800 20180211232933 20180128225448 43056 uk.
> j7VNrDP5MEqUmnvGtZ/PQf1iFWANsaQhIR3tJCZO8yJrZ6YmJn16wD27RblZgNcRU1PoCPNeBSiolhw/Ww5wVT3PlSeI97Oa/KP30mYYxr4Wqsjp+o7rDZEUzVY6lWBgKOBWz65JBjcQOi+Jabgyjm4xUjW6nIiUF5ORoCKRo18=
>
> 4ICKPJJH422NL4DM0IM88FT62R1ICF2D.uk. 10778 IN NSEC3
> 1 1 0 - 4ij9nhvbedk84b1ologpt9tgjj8127bm NS DS RRSIG
>
> U1FMKLFV3RDCNAMDC64SEKGCDP05BBIU.uk. 10778 IN RRSIG
> NSEC3 8 2 10800 20180212063306 20180129055822 43056 uk.
> KPDys4kmQVz2rG0Dk5MlYEi0A1CUREUK+gTqLd4DLDx4Lox0Ia/FY1c28Izr7hFL8GuOkFHoCMYE1IpzcorBQJ/ivQKkFlP5ibuvU70VsOvbpVYc5e3dizdgQZbeaenU0u5mRN4Jlxl9nTQyhuyLfpoJkBGAUYrifytMy++2WVc=
>
> U1FMKLFV3RDCNAMDC64SEKGCDP05BBIU.uk. 10778 IN NSEC3
> 1 1 0 - u1lg7j6jo1nfsu55lon2umgeujo912tu NS SOA RRSIG DNSKEY
> NSEC3PARAM TYPE65534
>
> UJ0TSI3JRONDQNT57QK2BP4O3EEIUVNS.uk. 10778 IN RRSIG
> NSEC3 8 2 10800 20180212081816 20180129080542 43056 uk.
> S+CI+50V3P3P0odOqrHFM9UqciqZV14PE5DhcYizFw0zdF0M2vpFUM9inJEUcsrI5H+vlcu0w7/itlf0IWTa3EHKDg/FgKStf5azJSOFGyQ8HI+bZ7r6U694dBut4Lvs3jZOtx77L0yMjZxNBxOQhFS2IQVelQvJQz8ID9ux6eI=
>
> UJ0TSI3JRONDQNT57QK2BP4O3EEIUVNS.uk. 10778 IN NSEC3
> 1 1 0 - ujigh3977hiahq1bj8659m81tf4etiko NS DS RRSIG
>
> ;; ADDITIONAL SECTION:
>
> ;; Query time: 0 msec
> ;; EDNS: version 0;
> flags: do ; udp: 4096
> ;; WHEN: Thu Jan 1
> 01:00:00 1970
> ;; MSG SIZE rcvd: 1017
> 2018-01-29T11:12:35+0100 dnssec-triggerd[1461]: [1461] debug: close fd 11
> 2018-01-29T11:12:35+0100 dnssec-triggerd[1461]: [1461] debug: probe NS1:
> failed: no answer, NXDOMAIN in NSEC3
>
>
> However NS2 receives different response:
> 2018-01-29T11:12:35+0100 dnssec-triggerd[1461]: [1461] debug: ;;
> ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 2430
> ;; flags: qr rd cd ra ;
> QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 0
> ;; QUESTION SECTION:
> ;; _probe.uk.com.
> IN NULL
>
> ;; ANSWER SECTION:
>
> ;; AUTHORITY SECTION:
> uk.com. 3600
> IN SOA ns0.centralnic.net. hostmaster.centralnic.net.
> 3000449728 900 1800 6048000 3600
> uk.com. 3600
> IN RRSIG SOA 7 2 3600 20180228193951 20180129080110 8049
> uk.com.
> LX/kFnpgfi2EZoeu74+kh9HyAaaA8aI9COoAXWFGRSjp1O3SdkjxWQ0aB7gB4B+03Z/ypDc3CGSb0KjPoxmDrgjhdNjtvfdlgqA3GbTFf4F4B4Bvhf9t2Iag5yNDcs1Rz2EiQpPVa5V/UwTR28FJ7tkAUCRyagy4XlZ4htxlKGY=
>
> t03nh0mhqgpsfg2luej9fs5l3lg37ptk.uk.com. 3600 IN
> RRSIG NSEC3 7 3 3600 20180223084924 20180123220429 8049 uk.com.
> urIQGlPD9o9GQ4wLNbzbgcdNgY6y9isrXpM1yM1yRxA9lPcQpN2Kk0gF0b6VYd/5QBd6UQA0Bt7nobOhpQIkLzDSH1rAkbreUGJWV4qSk/wKi5Ce2JlOBO4M7PDGMjuBS4Og5QWzunI2SmbORM9pVs5qMfzPDRqWvCGG7c0KfZA=
>
> t03nh0mhqgpsfg2luej9fs5l3lg37ptk.uk.com. 3600 IN
> NSEC3 1 1 1 - t1g0ocvb4l8vpe39r869hutldjee9cql
>
> ;; ADDITIONAL SECTION:
>
> ;; Query time: 0 msec
> ;; EDNS: version 0;
> flags: do ; udp: 4096
> ;; WHEN: Thu Jan 1
> 01:00:00 1970
> ;; MSG SIZE rcvd: 510
> 2018-01-29T11:12:35+0100 dnssec-triggerd[1461]: [1461] debug: close fd 8
> 2018-01-29T11:12:35+0100 dnssec-triggerd[1461]: [1461] debug: probe NS2:
> NSEC3 completed successfully
>
>
> Dne 23.1.2018 v 12:28 W.C.A. Wijngaards napsal(a):
>> Hi Petr,
>>
>> On 23/01/18 12:17, Petr Menšík wrote:
>>> Hello,
>>>
>>> I just tried new 0.15 dnssec-trigger. Once again there is problem with
>>> domain chosen to make probes.
>>>
>>> $ dig @dns2.nic.uk. +norec +dnssec -t SOA uk.uk.
>>>
>>> returns NXDOMAIN.
>>
>> Yes, that is why it is there. To get an NSEC3 response.
>>
>>>
>>> For that reason, gen_random_nsec3_dest probe "_probe.uk.uk." will always
>>> fail if chosen. Manual dnssec-trigger-control reprobe might be required.
>>
>> No, it works to get an NSEC3 response.
>>
>>>
>>> My question is same as the last time. How were that domains chosen?
>>
>> At random.
> I did not think how is selected one from that array. I know it is
> random. My question was more about how well were chosen values inside
> that array. It seems to me it might be useful to make them configurable.
>>
>>>
>>> I found it cannot be even registered again:
>>> https://www.nominet.uk/whois/?query=uk.uk#whois-results
>>
>> That is a good reason to have picked it; i.e. no registerable domain to
>> elicit NXDOMAIN responses.
> No it is not, unless code is changed to handle this situation correctly.
> Yes, it receive NSEC3 there. That is quite good. It is however for
> unexpected zone, just uk. That is not handled by dnssec-trigger as
> valid. I am not sure it should be in this case.
>>
>>>
>>> Have been domain owners asked it is ok to use their domains?
>>
>> No, but if they wouldn't like it, we would of course pick some other
>> NXDOMAIN response.
> I am asking this, because there was similar issue with kr.com domain,
> where it removed support for DNSSEC.
>
> Why isn't there any nlnetlabs domains? Is that because of anonymity? It
> seems to me administrators of resolvers can guess I am using
> dnssec-trigger from such queries. It would make sense to me to use some
> domains, whose owners are aware of dnssec-trigger is using it.
>>
>> Best regards, Wouter
>>
>>
>>
>>
>> _______________________________________________
>> dnssec-trigger mailing list
>> dnssec-trigger at NLnetLabs.nl
>> https://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger
>>
>
>
>
> _______________________________________________
> dnssec-trigger mailing list
> dnssec-trigger at NLnetLabs.nl
> https://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/dnssec-trigger/attachments/20180226/22347dd2/attachment.bin>
More information about the dnssec-trigger
mailing list