From pemensik at redhat.com Tue Jan 23 11:17:59 2018 From: pemensik at redhat.com (=?UTF-8?B?UGV0ciBNZW7FocOtaw==?=) Date: Tue, 23 Jan 2018 12:17:59 +0100 Subject: [Dnssec-trigger] uk.uk. failing probes Message-ID: <205b5666-293f-b306-1437-9f27d441f799@redhat.com> Hello, I just tried new 0.15 dnssec-trigger. Once again there is problem with domain chosen to make probes. $ dig @dns2.nic.uk. +norec +dnssec -t SOA uk.uk. returns NXDOMAIN. For that reason, gen_random_nsec3_dest probe "_probe.uk.uk." will always fail if chosen. Manual dnssec-trigger-control reprobe might be required. My question is same as the last time. How were that domains chosen? I found it cannot be even registered again: https://www.nominet.uk/whois/?query=uk.uk#whois-results Have been domain owners asked it is ok to use their domains? -- Petr Men??k Software Engineer Red Hat, http://www.redhat.com/ email: pemensik at redhat.com PGP: 65C6C973 From wouter at nlnetlabs.nl Tue Jan 23 11:28:48 2018 From: wouter at nlnetlabs.nl (W.C.A. Wijngaards) Date: Tue, 23 Jan 2018 12:28:48 +0100 Subject: [Dnssec-trigger] uk.uk. failing probes In-Reply-To: <205b5666-293f-b306-1437-9f27d441f799@redhat.com> References: <205b5666-293f-b306-1437-9f27d441f799@redhat.com> Message-ID: <3b896db6-cd65-2f7c-ca0e-42b91785bead@nlnetlabs.nl> Hi Petr, On 23/01/18 12:17, Petr Men??k wrote: > Hello, > > I just tried new 0.15 dnssec-trigger. Once again there is problem with > domain chosen to make probes. > > $ dig @dns2.nic.uk. +norec +dnssec -t SOA uk.uk. > > returns NXDOMAIN. Yes, that is why it is there. To get an NSEC3 response. > > For that reason, gen_random_nsec3_dest probe "_probe.uk.uk." will always > fail if chosen. Manual dnssec-trigger-control reprobe might be required. No, it works to get an NSEC3 response. > > My question is same as the last time. How were that domains chosen? At random. > > I found it cannot be even registered again: > https://www.nominet.uk/whois/?query=uk.uk#whois-results That is a good reason to have picked it; i.e. no registerable domain to elicit NXDOMAIN responses. > > Have been domain owners asked it is ok to use their domains? No, but if they wouldn't like it, we would of course pick some other NXDOMAIN response. Best regards, Wouter -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From pemensik at redhat.com Wed Jan 31 12:53:08 2018 From: pemensik at redhat.com (=?UTF-8?B?UGV0ciBNZW7FocOtaw==?=) Date: Wed, 31 Jan 2018 13:53:08 +0100 Subject: [Dnssec-trigger] uk.uk. failing probes In-Reply-To: <3b896db6-cd65-2f7c-ca0e-42b91785bead@nlnetlabs.nl> References: <205b5666-293f-b306-1437-9f27d441f799@redhat.com> <3b896db6-cd65-2f7c-ca0e-42b91785bead@nlnetlabs.nl> Message-ID: <9d45dfdb-993f-d895-b48d-d1d8c0c87f08@redhat.com> Hello Wouter, sure, that check there is there for negative answer. However it does require different negative answer than it gets for uk.uk. It should receive NOERROR response, but it does receive NXDOMAIN. That is received because dig -t NS uk.uk. will return NXDOMAIN as well. This way, I get sometime results of $ dnssec-trigger-control status cache : error no answer, NXDOMAIN cache : OK state: cache secure And only NS2 is used then as secure forwarder. If I had only single resolver or had bad luck and it tried uk.uk on both resolvers, it would disable DNSSEC on well working resolvers. $ unbound-control list_forwards . IN forward Because it uses workaround with public resolver, it might not be visible right away. In our office are blocked direct DNS requests to internet, so such failure is much more visible. This is somehow reproducible if you know where to look. It has 25% probability to show up. The response it receives on my system is this: 2018-01-29T11:12:35+0100 dnssec-triggerd[1461]: [1461] debug: ;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 12668 ;; flags: qr rd cd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 0 ;; QUESTION SECTION: ;; _probe.uk.uk. IN NULL ;; ANSWER SECTION: ;; AUTHORITY SECTION: uk. 10778 IN SOA dns1.nic.uk. hostmaster.nic.uk. 1403554870 7200 900 2419200 10800 uk. 10778 IN RRSIG SOA 8 1 172800 20180212101015 20180129091015 43056 uk. j4KTNjHJyIFpicmDExTyFslOxTH2ayaOop76x3Y6K4m9CWxbM7J9yK+Mzj1iHRxtKvXxUqArrPxcPmzZaJxhqVgj4mf9b6MOrxbMY4tyCve9USQLW+Fm3JY0fX32Z9VCSH6zJOMG8b5xyUDmQ36/hNv8GFfbwbaydO0KVQD5wNA= 4ICKPJJH422NL4DM0IM88FT62R1ICF2D.uk. 10778 IN RRSIG NSEC3 8 2 10800 20180211232933 20180128225448 43056 uk. j7VNrDP5MEqUmnvGtZ/PQf1iFWANsaQhIR3tJCZO8yJrZ6YmJn16wD27RblZgNcRU1PoCPNeBSiolhw/Ww5wVT3PlSeI97Oa/KP30mYYxr4Wqsjp+o7rDZEUzVY6lWBgKOBWz65JBjcQOi+Jabgyjm4xUjW6nIiUF5ORoCKRo18= 4ICKPJJH422NL4DM0IM88FT62R1ICF2D.uk. 10778 IN NSEC3 1 1 0 - 4ij9nhvbedk84b1ologpt9tgjj8127bm NS DS RRSIG U1FMKLFV3RDCNAMDC64SEKGCDP05BBIU.uk. 10778 IN RRSIG NSEC3 8 2 10800 20180212063306 20180129055822 43056 uk. KPDys4kmQVz2rG0Dk5MlYEi0A1CUREUK+gTqLd4DLDx4Lox0Ia/FY1c28Izr7hFL8GuOkFHoCMYE1IpzcorBQJ/ivQKkFlP5ibuvU70VsOvbpVYc5e3dizdgQZbeaenU0u5mRN4Jlxl9nTQyhuyLfpoJkBGAUYrifytMy++2WVc= U1FMKLFV3RDCNAMDC64SEKGCDP05BBIU.uk. 10778 IN NSEC3 1 1 0 - u1lg7j6jo1nfsu55lon2umgeujo912tu NS SOA RRSIG DNSKEY NSEC3PARAM TYPE65534 UJ0TSI3JRONDQNT57QK2BP4O3EEIUVNS.uk. 10778 IN RRSIG NSEC3 8 2 10800 20180212081816 20180129080542 43056 uk. S+CI+50V3P3P0odOqrHFM9UqciqZV14PE5DhcYizFw0zdF0M2vpFUM9inJEUcsrI5H+vlcu0w7/itlf0IWTa3EHKDg/FgKStf5azJSOFGyQ8HI+bZ7r6U694dBut4Lvs3jZOtx77L0yMjZxNBxOQhFS2IQVelQvJQz8ID9ux6eI= UJ0TSI3JRONDQNT57QK2BP4O3EEIUVNS.uk. 10778 IN NSEC3 1 1 0 - ujigh3977hiahq1bj8659m81tf4etiko NS DS RRSIG ;; ADDITIONAL SECTION: ;; Query time: 0 msec ;; EDNS: version 0; flags: do ; udp: 4096 ;; WHEN: Thu Jan 1 01:00:00 1970 ;; MSG SIZE rcvd: 1017 2018-01-29T11:12:35+0100 dnssec-triggerd[1461]: [1461] debug: close fd 11 2018-01-29T11:12:35+0100 dnssec-triggerd[1461]: [1461] debug: probe NS1: failed: no answer, NXDOMAIN in NSEC3 However NS2 receives different response: 2018-01-29T11:12:35+0100 dnssec-triggerd[1461]: [1461] debug: ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 2430 ;; flags: qr rd cd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 0 ;; QUESTION SECTION: ;; _probe.uk.com. IN NULL ;; ANSWER SECTION: ;; AUTHORITY SECTION: uk.com. 3600 IN SOA ns0.centralnic.net. hostmaster.centralnic.net. 3000449728 900 1800 6048000 3600 uk.com. 3600 IN RRSIG SOA 7 2 3600 20180228193951 20180129080110 8049 uk.com. LX/kFnpgfi2EZoeu74+kh9HyAaaA8aI9COoAXWFGRSjp1O3SdkjxWQ0aB7gB4B+03Z/ypDc3CGSb0KjPoxmDrgjhdNjtvfdlgqA3GbTFf4F4B4Bvhf9t2Iag5yNDcs1Rz2EiQpPVa5V/UwTR28FJ7tkAUCRyagy4XlZ4htxlKGY= t03nh0mhqgpsfg2luej9fs5l3lg37ptk.uk.com. 3600 IN RRSIG NSEC3 7 3 3600 20180223084924 20180123220429 8049 uk.com. urIQGlPD9o9GQ4wLNbzbgcdNgY6y9isrXpM1yM1yRxA9lPcQpN2Kk0gF0b6VYd/5QBd6UQA0Bt7nobOhpQIkLzDSH1rAkbreUGJWV4qSk/wKi5Ce2JlOBO4M7PDGMjuBS4Og5QWzunI2SmbORM9pVs5qMfzPDRqWvCGG7c0KfZA= t03nh0mhqgpsfg2luej9fs5l3lg37ptk.uk.com. 3600 IN NSEC3 1 1 1 - t1g0ocvb4l8vpe39r869hutldjee9cql ;; ADDITIONAL SECTION: ;; Query time: 0 msec ;; EDNS: version 0; flags: do ; udp: 4096 ;; WHEN: Thu Jan 1 01:00:00 1970 ;; MSG SIZE rcvd: 510 2018-01-29T11:12:35+0100 dnssec-triggerd[1461]: [1461] debug: close fd 8 2018-01-29T11:12:35+0100 dnssec-triggerd[1461]: [1461] debug: probe NS2: NSEC3 completed successfully Dne 23.1.2018 v 12:28 W.C.A. Wijngaards napsal(a): > Hi Petr, > > On 23/01/18 12:17, Petr Men??k wrote: >> Hello, >> >> I just tried new 0.15 dnssec-trigger. Once again there is problem with >> domain chosen to make probes. >> >> $ dig @dns2.nic.uk. +norec +dnssec -t SOA uk.uk. >> >> returns NXDOMAIN. > > Yes, that is why it is there. To get an NSEC3 response. > >> >> For that reason, gen_random_nsec3_dest probe "_probe.uk.uk." will always >> fail if chosen. Manual dnssec-trigger-control reprobe might be required. > > No, it works to get an NSEC3 response. > >> >> My question is same as the last time. How were that domains chosen? > > At random. I did not think how is selected one from that array. I know it is random. My question was more about how well were chosen values inside that array. It seems to me it might be useful to make them configurable. > >> >> I found it cannot be even registered again: >> https://www.nominet.uk/whois/?query=uk.uk#whois-results > > That is a good reason to have picked it; i.e. no registerable domain to > elicit NXDOMAIN responses. No it is not, unless code is changed to handle this situation correctly. Yes, it receive NSEC3 there. That is quite good. It is however for unexpected zone, just uk. That is not handled by dnssec-trigger as valid. I am not sure it should be in this case. > >> >> Have been domain owners asked it is ok to use their domains? > > No, but if they wouldn't like it, we would of course pick some other > NXDOMAIN response. I am asking this, because there was similar issue with kr.com domain, where it removed support for DNSSEC. Why isn't there any nlnetlabs domains? Is that because of anonymity? It seems to me administrators of resolvers can guess I am using dnssec-trigger from such queries. It would make sense to me to use some domains, whose owners are aware of dnssec-trigger is using it. > > Best regards, Wouter > > > > > _______________________________________________ > dnssec-trigger mailing list > dnssec-trigger at NLnetLabs.nl > https://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger > -- Petr Men??k Software Engineer Red Hat, http://www.redhat.com/ email: pemensik at redhat.com PGP: 65C6C973 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: