[Dnssec-trigger] uk.uk. failing probes

Petr Menšík pemensik at redhat.com
Wed Jan 31 12:53:08 UTC 2018


Hello Wouter,

sure, that check there is there for negative answer. However it does
require different negative answer than it gets for uk.uk. It should
receive NOERROR response, but it does receive NXDOMAIN. That is received
because dig -t NS uk.uk. will return NXDOMAIN as well.

This way, I get sometime results of

$ dnssec-trigger-control status
cache <NS1>: error no answer, NXDOMAIN
cache <NS2>: OK
state: cache secure

And only NS2 is used then as secure forwarder. If I had only single
resolver or had bad luck and it tried uk.uk on both resolvers, it would
disable DNSSEC on well working resolvers.

$ unbound-control list_forwards
. IN forward <NS2>

Because it uses workaround with public resolver, it might not be visible
right away. In our office are blocked direct DNS requests to internet,
so such failure is much more visible.

This is somehow reproducible if you know where to look. It has 25%
probability to show up.

The response it receives on my system is this:
2018-01-29T11:12:35+0100 dnssec-triggerd[1461]: [1461] debug: ;;
->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 12668
                                                ;; flags: qr rd cd ra ;
QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 0
                                                ;; QUESTION SECTION:
                                                ;; _probe.uk.uk.
IN        NULL

                                                ;; ANSWER SECTION:

                                                ;; AUTHORITY SECTION:
                                                uk.        10778
IN        SOA        dns1.nic.uk. hostmaster.nic.uk. 1403554870 7200 900
2419200 10800
                                                uk.        10778
IN        RRSIG        SOA 8 1 172800 20180212101015 20180129091015
43056 uk.
j4KTNjHJyIFpicmDExTyFslOxTH2ayaOop76x3Y6K4m9CWxbM7J9yK+Mzj1iHRxtKvXxUqArrPxcPmzZaJxhqVgj4mf9b6MOrxbMY4tyCve9USQLW+Fm3JY0fX32Z9VCSH6zJOMG8b5xyUDmQ36/hNv8GFfbwbaydO0KVQD5wNA=

4ICKPJJH422NL4DM0IM88FT62R1ICF2D.uk.        10778        IN        RRSIG
       NSEC3 8 2 10800 20180211232933 20180128225448 43056 uk.
j7VNrDP5MEqUmnvGtZ/PQf1iFWANsaQhIR3tJCZO8yJrZ6YmJn16wD27RblZgNcRU1PoCPNeBSiolhw/Ww5wVT3PlSeI97Oa/KP30mYYxr4Wqsjp+o7rDZEUzVY6lWBgKOBWz65JBjcQOi+Jabgyjm4xUjW6nIiUF5ORoCKRo18=

4ICKPJJH422NL4DM0IM88FT62R1ICF2D.uk.        10778        IN        NSEC3
       1 1 0 -  4ij9nhvbedk84b1ologpt9tgjj8127bm NS DS RRSIG

U1FMKLFV3RDCNAMDC64SEKGCDP05BBIU.uk.        10778        IN        RRSIG
       NSEC3 8 2 10800 20180212063306 20180129055822 43056 uk.
KPDys4kmQVz2rG0Dk5MlYEi0A1CUREUK+gTqLd4DLDx4Lox0Ia/FY1c28Izr7hFL8GuOkFHoCMYE1IpzcorBQJ/ivQKkFlP5ibuvU70VsOvbpVYc5e3dizdgQZbeaenU0u5mRN4Jlxl9nTQyhuyLfpoJkBGAUYrifytMy++2WVc=

U1FMKLFV3RDCNAMDC64SEKGCDP05BBIU.uk.        10778        IN        NSEC3
       1 1 0 -  u1lg7j6jo1nfsu55lon2umgeujo912tu NS SOA RRSIG DNSKEY
NSEC3PARAM TYPE65534

UJ0TSI3JRONDQNT57QK2BP4O3EEIUVNS.uk.        10778        IN        RRSIG
       NSEC3 8 2 10800 20180212081816 20180129080542 43056 uk.
S+CI+50V3P3P0odOqrHFM9UqciqZV14PE5DhcYizFw0zdF0M2vpFUM9inJEUcsrI5H+vlcu0w7/itlf0IWTa3EHKDg/FgKStf5azJSOFGyQ8HI+bZ7r6U694dBut4Lvs3jZOtx77L0yMjZxNBxOQhFS2IQVelQvJQz8ID9ux6eI=

UJ0TSI3JRONDQNT57QK2BP4O3EEIUVNS.uk.        10778        IN        NSEC3
       1 1 0 -  ujigh3977hiahq1bj8659m81tf4etiko NS DS RRSIG

                                                ;; ADDITIONAL SECTION:

                                                ;; Query time: 0 msec
                                                ;; EDNS: version 0;
flags: do ; udp: 4096
                                                ;; WHEN: Thu Jan  1
01:00:00 1970
                                                ;; MSG SIZE  rcvd: 1017
2018-01-29T11:12:35+0100 dnssec-triggerd[1461]: [1461] debug: close fd 11
2018-01-29T11:12:35+0100 dnssec-triggerd[1461]: [1461] debug: probe NS1:
failed: no answer, NXDOMAIN in NSEC3


However NS2 receives different response:
2018-01-29T11:12:35+0100 dnssec-triggerd[1461]: [1461] debug: ;;
->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 2430
                                                ;; flags: qr rd cd ra ;
QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 0
                                                ;; QUESTION SECTION:
                                                ;; _probe.uk.com.
IN        NULL

                                                ;; ANSWER SECTION:

                                                ;; AUTHORITY SECTION:
                                                uk.com.        3600
  IN        SOA        ns0.centralnic.net. hostmaster.centralnic.net.
3000449728 900 1800 6048000 3600
                                                uk.com.        3600
  IN        RRSIG        SOA 7 2 3600 20180228193951 20180129080110 8049
uk.com.
LX/kFnpgfi2EZoeu74+kh9HyAaaA8aI9COoAXWFGRSjp1O3SdkjxWQ0aB7gB4B+03Z/ypDc3CGSb0KjPoxmDrgjhdNjtvfdlgqA3GbTFf4F4B4Bvhf9t2Iag5yNDcs1Rz2EiQpPVa5V/UwTR28FJ7tkAUCRyagy4XlZ4htxlKGY=

t03nh0mhqgpsfg2luej9fs5l3lg37ptk.uk.com.        3600        IN
RRSIG        NSEC3 7 3 3600 20180223084924 20180123220429 8049 uk.com.
urIQGlPD9o9GQ4wLNbzbgcdNgY6y9isrXpM1yM1yRxA9lPcQpN2Kk0gF0b6VYd/5QBd6UQA0Bt7nobOhpQIkLzDSH1rAkbreUGJWV4qSk/wKi5Ce2JlOBO4M7PDGMjuBS4Og5QWzunI2SmbORM9pVs5qMfzPDRqWvCGG7c0KfZA=

t03nh0mhqgpsfg2luej9fs5l3lg37ptk.uk.com.        3600        IN
NSEC3        1 1 1 -  t1g0ocvb4l8vpe39r869hutldjee9cql

                                                ;; ADDITIONAL SECTION:

                                                ;; Query time: 0 msec
                                                ;; EDNS: version 0;
flags: do ; udp: 4096
                                                ;; WHEN: Thu Jan  1
01:00:00 1970
                                                ;; MSG SIZE  rcvd: 510
2018-01-29T11:12:35+0100 dnssec-triggerd[1461]: [1461] debug: close fd 8
2018-01-29T11:12:35+0100 dnssec-triggerd[1461]: [1461] debug: probe NS2:
NSEC3 completed successfully


Dne 23.1.2018 v 12:28 W.C.A. Wijngaards napsal(a):
> Hi Petr,
> 
> On 23/01/18 12:17, Petr Menšík wrote:
>> Hello,
>>
>> I just tried new 0.15 dnssec-trigger. Once again there is problem with
>> domain chosen to make probes.
>>
>> $ dig @dns2.nic.uk. +norec +dnssec -t SOA uk.uk.
>>
>> returns NXDOMAIN.
> 
> Yes, that is why it is there.  To get an NSEC3 response.
> 
>>
>> For that reason, gen_random_nsec3_dest probe "_probe.uk.uk." will always
>> fail if chosen. Manual dnssec-trigger-control reprobe might be required.
> 
> No, it works to get an NSEC3 response.
> 
>>
>> My question is same as the last time. How were that domains chosen?
> 
> At random.
I did not think how is selected one from that array. I know it is
random. My question was more about how well were chosen values inside
that array. It seems to me it might be useful to make them configurable.
> 
>>
>> I found it cannot be even registered again:
>> https://www.nominet.uk/whois/?query=uk.uk#whois-results
> 
> That is a good reason to have picked it; i.e. no registerable domain to
> elicit NXDOMAIN responses.
No it is not, unless code is changed to handle this situation correctly.
Yes, it receive NSEC3 there. That is quite good. It is however for
unexpected zone, just uk. That is not handled by dnssec-trigger as
valid. I am not sure it should be in this case.
> 
>>
>> Have been domain owners asked it is ok to use their domains?
> 
> No, but if they wouldn't like it, we would of course pick some other
> NXDOMAIN response.
I am asking this, because there was similar issue with kr.com domain,
where it removed support for DNSSEC.

Why isn't there any nlnetlabs domains? Is that because of anonymity? It
seems to me administrators of resolvers can guess I am using
dnssec-trigger from such queries. It would make sense to me to use some
domains, whose owners are aware of dnssec-trigger is using it.
> 
> Best regards, Wouter
> 
> 
> 
> 
> _______________________________________________
> dnssec-trigger mailing list
> dnssec-trigger at NLnetLabs.nl
> https://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger
> 

-- 
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com  PGP: 65C6C973

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/dnssec-trigger/attachments/20180131/4ef1bb1c/attachment.bin>


More information about the dnssec-trigger mailing list