From pemensik at redhat.com Wed Mar 14 12:56:17 2018 From: pemensik at redhat.com (=?UTF-8?B?UGV0ciBNZW7FocOtaw==?=) Date: Wed, 14 Mar 2018 13:56:17 +0100 Subject: [Dnssec-trigger] uk.uk. failing probes In-Reply-To: References: <205b5666-293f-b306-1437-9f27d441f799@redhat.com> <3b896db6-cd65-2f7c-ca0e-42b91785bead@nlnetlabs.nl> <9d45dfdb-993f-d895-b48d-d1d8c0c87f08@redhat.com> Message-ID: Thanks, that fixes occasional failures it seems. I did not think it would be so simple change. Thanks a lot. Dne 26.2.2018 v 14:49 W.C.A. Wijngaards napsal(a): > Hi Petr, > > I fixed it so that it allows type NXDOMAIN for the answer. That should > make the probes work. The uk.uk. domain changed it's answers, but they > are still NSEC3 answers, so we can continue to use that, but the code > now allows the rcode NXDOMAIN as well. > > Index: riggerd/probe.c > =================================================================== > --- riggerd/probe.c (revision 762) > +++ riggerd/probe.c (working copy) > @@ -490,7 +490,8 @@ > } > > /* does DNS work? */ > - if(ldns_pkt_get_rcode(p) != LDNS_RCODE_NOERROR) { > + if(ldns_pkt_get_rcode(p) != LDNS_RCODE_NOERROR && > + ldns_pkt_get_rcode(p) != LDNS_RCODE_NXDOMAIN) { > char* r = ldns_pkt_rcode2str(ldns_pkt_get_rcode(p)); > snprintf(reason, sizeof(reason), "no answer, %s", > r?r:"(out of memory)"); > > Best regards, Wouter > > > On 31/01/18 13:53, Petr Men??k wrote: >> Hello Wouter, >> >> sure, that check there is there for negative answer. However it does >> require different negative answer than it gets for uk.uk. It should >> receive NOERROR response, but it does receive NXDOMAIN. That is received >> because dig -t NS uk.uk. will return NXDOMAIN as well. >> >> This way, I get sometime results of >> >> $ dnssec-trigger-control status >> cache : error no answer, NXDOMAIN >> cache : OK >> state: cache secure >> >> And only NS2 is used then as secure forwarder. If I had only single >> resolver or had bad luck and it tried uk.uk on both resolvers, it would >> disable DNSSEC on well working resolvers. >> >> $ unbound-control list_forwards >> . IN forward >> >> Because it uses workaround with public resolver, it might not be visible >> right away. In our office are blocked direct DNS requests to internet, >> so such failure is much more visible. >> >> This is somehow reproducible if you know where to look. It has 25% >> probability to show up. >> >> The response it receives on my system is this: >> 2018-01-29T11:12:35+0100 dnssec-triggerd[1461]: [1461] debug: ;; >> ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 12668 >> ;; flags: qr rd cd ra ; >> QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 0 >> ;; QUESTION SECTION: >> ;; _probe.uk.uk. >> IN NULL >> >> ;; ANSWER SECTION: >> >> ;; AUTHORITY SECTION: >> uk. 10778 >> IN SOA dns1.nic.uk. hostmaster.nic.uk. 1403554870 7200 900 >> 2419200 10800 >> uk. 10778 >> IN RRSIG SOA 8 1 172800 20180212101015 20180129091015 >> 43056 uk. >> j4KTNjHJyIFpicmDExTyFslOxTH2ayaOop76x3Y6K4m9CWxbM7J9yK+Mzj1iHRxtKvXxUqArrPxcPmzZaJxhqVgj4mf9b6MOrxbMY4tyCve9USQLW+Fm3JY0fX32Z9VCSH6zJOMG8b5xyUDmQ36/hNv8GFfbwbaydO0KVQD5wNA= >> >> 4ICKPJJH422NL4DM0IM88FT62R1ICF2D.uk. 10778 IN RRSIG >> NSEC3 8 2 10800 20180211232933 20180128225448 43056 uk. >> j7VNrDP5MEqUmnvGtZ/PQf1iFWANsaQhIR3tJCZO8yJrZ6YmJn16wD27RblZgNcRU1PoCPNeBSiolhw/Ww5wVT3PlSeI97Oa/KP30mYYxr4Wqsjp+o7rDZEUzVY6lWBgKOBWz65JBjcQOi+Jabgyjm4xUjW6nIiUF5ORoCKRo18= >> >> 4ICKPJJH422NL4DM0IM88FT62R1ICF2D.uk. 10778 IN NSEC3 >> 1 1 0 - 4ij9nhvbedk84b1ologpt9tgjj8127bm NS DS RRSIG >> >> U1FMKLFV3RDCNAMDC64SEKGCDP05BBIU.uk. 10778 IN RRSIG >> NSEC3 8 2 10800 20180212063306 20180129055822 43056 uk. >> KPDys4kmQVz2rG0Dk5MlYEi0A1CUREUK+gTqLd4DLDx4Lox0Ia/FY1c28Izr7hFL8GuOkFHoCMYE1IpzcorBQJ/ivQKkFlP5ibuvU70VsOvbpVYc5e3dizdgQZbeaenU0u5mRN4Jlxl9nTQyhuyLfpoJkBGAUYrifytMy++2WVc= >> >> U1FMKLFV3RDCNAMDC64SEKGCDP05BBIU.uk. 10778 IN NSEC3 >> 1 1 0 - u1lg7j6jo1nfsu55lon2umgeujo912tu NS SOA RRSIG DNSKEY >> NSEC3PARAM TYPE65534 >> >> UJ0TSI3JRONDQNT57QK2BP4O3EEIUVNS.uk. 10778 IN RRSIG >> NSEC3 8 2 10800 20180212081816 20180129080542 43056 uk. >> S+CI+50V3P3P0odOqrHFM9UqciqZV14PE5DhcYizFw0zdF0M2vpFUM9inJEUcsrI5H+vlcu0w7/itlf0IWTa3EHKDg/FgKStf5azJSOFGyQ8HI+bZ7r6U694dBut4Lvs3jZOtx77L0yMjZxNBxOQhFS2IQVelQvJQz8ID9ux6eI= >> >> UJ0TSI3JRONDQNT57QK2BP4O3EEIUVNS.uk. 10778 IN NSEC3 >> 1 1 0 - ujigh3977hiahq1bj8659m81tf4etiko NS DS RRSIG >> >> ;; ADDITIONAL SECTION: >> >> ;; Query time: 0 msec >> ;; EDNS: version 0; >> flags: do ; udp: 4096 >> ;; WHEN: Thu Jan 1 >> 01:00:00 1970 >> ;; MSG SIZE rcvd: 1017 >> 2018-01-29T11:12:35+0100 dnssec-triggerd[1461]: [1461] debug: close fd 11 >> 2018-01-29T11:12:35+0100 dnssec-triggerd[1461]: [1461] debug: probe NS1: >> failed: no answer, NXDOMAIN in NSEC3 >> >> >> However NS2 receives different response: >> 2018-01-29T11:12:35+0100 dnssec-triggerd[1461]: [1461] debug: ;; >> ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 2430 >> ;; flags: qr rd cd ra ; >> QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 0 >> ;; QUESTION SECTION: >> ;; _probe.uk.com. >> IN NULL >> >> ;; ANSWER SECTION: >> >> ;; AUTHORITY SECTION: >> uk.com. 3600 >> IN SOA ns0.centralnic.net. hostmaster.centralnic.net. >> 3000449728 900 1800 6048000 3600 >> uk.com. 3600 >> IN RRSIG SOA 7 2 3600 20180228193951 20180129080110 8049 >> uk.com. >> LX/kFnpgfi2EZoeu74+kh9HyAaaA8aI9COoAXWFGRSjp1O3SdkjxWQ0aB7gB4B+03Z/ypDc3CGSb0KjPoxmDrgjhdNjtvfdlgqA3GbTFf4F4B4Bvhf9t2Iag5yNDcs1Rz2EiQpPVa5V/UwTR28FJ7tkAUCRyagy4XlZ4htxlKGY= >> >> t03nh0mhqgpsfg2luej9fs5l3lg37ptk.uk.com. 3600 IN >> RRSIG NSEC3 7 3 3600 20180223084924 20180123220429 8049 uk.com. >> urIQGlPD9o9GQ4wLNbzbgcdNgY6y9isrXpM1yM1yRxA9lPcQpN2Kk0gF0b6VYd/5QBd6UQA0Bt7nobOhpQIkLzDSH1rAkbreUGJWV4qSk/wKi5Ce2JlOBO4M7PDGMjuBS4Og5QWzunI2SmbORM9pVs5qMfzPDRqWvCGG7c0KfZA= >> >> t03nh0mhqgpsfg2luej9fs5l3lg37ptk.uk.com. 3600 IN >> NSEC3 1 1 1 - t1g0ocvb4l8vpe39r869hutldjee9cql >> >> ;; ADDITIONAL SECTION: >> >> ;; Query time: 0 msec >> ;; EDNS: version 0; >> flags: do ; udp: 4096 >> ;; WHEN: Thu Jan 1 >> 01:00:00 1970 >> ;; MSG SIZE rcvd: 510 >> 2018-01-29T11:12:35+0100 dnssec-triggerd[1461]: [1461] debug: close fd 8 >> 2018-01-29T11:12:35+0100 dnssec-triggerd[1461]: [1461] debug: probe NS2: >> NSEC3 completed successfully >> >> >> Dne 23.1.2018 v 12:28 W.C.A. Wijngaards napsal(a): >>> Hi Petr, >>> >>> On 23/01/18 12:17, Petr Men??k wrote: >>>> Hello, >>>> >>>> I just tried new 0.15 dnssec-trigger. Once again there is problem with >>>> domain chosen to make probes. >>>> >>>> $ dig @dns2.nic.uk. +norec +dnssec -t SOA uk.uk. >>>> >>>> returns NXDOMAIN. >>> >>> Yes, that is why it is there. To get an NSEC3 response. >>> >>>> >>>> For that reason, gen_random_nsec3_dest probe "_probe.uk.uk." will always >>>> fail if chosen. Manual dnssec-trigger-control reprobe might be required. >>> >>> No, it works to get an NSEC3 response. >>> >>>> >>>> My question is same as the last time. How were that domains chosen? >>> >>> At random. >> I did not think how is selected one from that array. I know it is >> random. My question was more about how well were chosen values inside >> that array. It seems to me it might be useful to make them configurable. >>> >>>> >>>> I found it cannot be even registered again: >>>> https://www.nominet.uk/whois/?query=uk.uk#whois-results >>> >>> That is a good reason to have picked it; i.e. no registerable domain to >>> elicit NXDOMAIN responses. >> No it is not, unless code is changed to handle this situation correctly. >> Yes, it receive NSEC3 there. That is quite good. It is however for >> unexpected zone, just uk. That is not handled by dnssec-trigger as >> valid. I am not sure it should be in this case. >>> >>>> >>>> Have been domain owners asked it is ok to use their domains? >>> >>> No, but if they wouldn't like it, we would of course pick some other >>> NXDOMAIN response. >> I am asking this, because there was similar issue with kr.com domain, >> where it removed support for DNSSEC. >> >> Why isn't there any nlnetlabs domains? Is that because of anonymity? It >> seems to me administrators of resolvers can guess I am using >> dnssec-trigger from such queries. It would make sense to me to use some >> domains, whose owners are aware of dnssec-trigger is using it. >>> >>> Best regards, Wouter >>> >>> >>> >>> >>> _______________________________________________ >>> dnssec-trigger mailing list >>> dnssec-trigger at NLnetLabs.nl >>> https://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger >>> >> >> >> >> _______________________________________________ >> dnssec-trigger mailing list >> dnssec-trigger at NLnetLabs.nl >> https://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger >> > > > > > _______________________________________________ > dnssec-trigger mailing list > dnssec-trigger at NLnetLabs.nl > https://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger > -- Petr Men??k Software Engineer Red Hat, http://www.redhat.com/ email: pemensik at redhat.com PGP: 65C6C973 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: