[Dnssec-trigger] uk.uk. failing probes
Petr Menšík
pemensik at redhat.com
Wed Mar 14 12:56:17 UTC 2018
Thanks, that fixes occasional failures it seems. I did not think it
would be so simple change. Thanks a lot.
Dne 26.2.2018 v 14:49 W.C.A. Wijngaards napsal(a):
> Hi Petr,
>
> I fixed it so that it allows type NXDOMAIN for the answer. That should
> make the probes work. The uk.uk. domain changed it's answers, but they
> are still NSEC3 answers, so we can continue to use that, but the code
> now allows the rcode NXDOMAIN as well.
>
> Index: riggerd/probe.c
> ===================================================================
> --- riggerd/probe.c (revision 762)
> +++ riggerd/probe.c (working copy)
> @@ -490,7 +490,8 @@
> }
>
> /* does DNS work? */
> - if(ldns_pkt_get_rcode(p) != LDNS_RCODE_NOERROR) {
> + if(ldns_pkt_get_rcode(p) != LDNS_RCODE_NOERROR &&
> + ldns_pkt_get_rcode(p) != LDNS_RCODE_NXDOMAIN) {
> char* r = ldns_pkt_rcode2str(ldns_pkt_get_rcode(p));
> snprintf(reason, sizeof(reason), "no answer, %s",
> r?r:"(out of memory)");
>
> Best regards, Wouter
>
>
> On 31/01/18 13:53, Petr Menšík wrote:
>> Hello Wouter,
>>
>> sure, that check there is there for negative answer. However it does
>> require different negative answer than it gets for uk.uk. It should
>> receive NOERROR response, but it does receive NXDOMAIN. That is received
>> because dig -t NS uk.uk. will return NXDOMAIN as well.
>>
>> This way, I get sometime results of
>>
>> $ dnssec-trigger-control status
>> cache <NS1>: error no answer, NXDOMAIN
>> cache <NS2>: OK
>> state: cache secure
>>
>> And only NS2 is used then as secure forwarder. If I had only single
>> resolver or had bad luck and it tried uk.uk on both resolvers, it would
>> disable DNSSEC on well working resolvers.
>>
>> $ unbound-control list_forwards
>> . IN forward <NS2>
>>
>> Because it uses workaround with public resolver, it might not be visible
>> right away. In our office are blocked direct DNS requests to internet,
>> so such failure is much more visible.
>>
>> This is somehow reproducible if you know where to look. It has 25%
>> probability to show up.
>>
>> The response it receives on my system is this:
>> 2018-01-29T11:12:35+0100 dnssec-triggerd[1461]: [1461] debug: ;;
>> ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 12668
>> ;; flags: qr rd cd ra ;
>> QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 0
>> ;; QUESTION SECTION:
>> ;; _probe.uk.uk.
>> IN NULL
>>
>> ;; ANSWER SECTION:
>>
>> ;; AUTHORITY SECTION:
>> uk. 10778
>> IN SOA dns1.nic.uk. hostmaster.nic.uk. 1403554870 7200 900
>> 2419200 10800
>> uk. 10778
>> IN RRSIG SOA 8 1 172800 20180212101015 20180129091015
>> 43056 uk.
>> j4KTNjHJyIFpicmDExTyFslOxTH2ayaOop76x3Y6K4m9CWxbM7J9yK+Mzj1iHRxtKvXxUqArrPxcPmzZaJxhqVgj4mf9b6MOrxbMY4tyCve9USQLW+Fm3JY0fX32Z9VCSH6zJOMG8b5xyUDmQ36/hNv8GFfbwbaydO0KVQD5wNA=
>>
>> 4ICKPJJH422NL4DM0IM88FT62R1ICF2D.uk. 10778 IN RRSIG
>> NSEC3 8 2 10800 20180211232933 20180128225448 43056 uk.
>> j7VNrDP5MEqUmnvGtZ/PQf1iFWANsaQhIR3tJCZO8yJrZ6YmJn16wD27RblZgNcRU1PoCPNeBSiolhw/Ww5wVT3PlSeI97Oa/KP30mYYxr4Wqsjp+o7rDZEUzVY6lWBgKOBWz65JBjcQOi+Jabgyjm4xUjW6nIiUF5ORoCKRo18=
>>
>> 4ICKPJJH422NL4DM0IM88FT62R1ICF2D.uk. 10778 IN NSEC3
>> 1 1 0 - 4ij9nhvbedk84b1ologpt9tgjj8127bm NS DS RRSIG
>>
>> U1FMKLFV3RDCNAMDC64SEKGCDP05BBIU.uk. 10778 IN RRSIG
>> NSEC3 8 2 10800 20180212063306 20180129055822 43056 uk.
>> KPDys4kmQVz2rG0Dk5MlYEi0A1CUREUK+gTqLd4DLDx4Lox0Ia/FY1c28Izr7hFL8GuOkFHoCMYE1IpzcorBQJ/ivQKkFlP5ibuvU70VsOvbpVYc5e3dizdgQZbeaenU0u5mRN4Jlxl9nTQyhuyLfpoJkBGAUYrifytMy++2WVc=
>>
>> U1FMKLFV3RDCNAMDC64SEKGCDP05BBIU.uk. 10778 IN NSEC3
>> 1 1 0 - u1lg7j6jo1nfsu55lon2umgeujo912tu NS SOA RRSIG DNSKEY
>> NSEC3PARAM TYPE65534
>>
>> UJ0TSI3JRONDQNT57QK2BP4O3EEIUVNS.uk. 10778 IN RRSIG
>> NSEC3 8 2 10800 20180212081816 20180129080542 43056 uk.
>> S+CI+50V3P3P0odOqrHFM9UqciqZV14PE5DhcYizFw0zdF0M2vpFUM9inJEUcsrI5H+vlcu0w7/itlf0IWTa3EHKDg/FgKStf5azJSOFGyQ8HI+bZ7r6U694dBut4Lvs3jZOtx77L0yMjZxNBxOQhFS2IQVelQvJQz8ID9ux6eI=
>>
>> UJ0TSI3JRONDQNT57QK2BP4O3EEIUVNS.uk. 10778 IN NSEC3
>> 1 1 0 - ujigh3977hiahq1bj8659m81tf4etiko NS DS RRSIG
>>
>> ;; ADDITIONAL SECTION:
>>
>> ;; Query time: 0 msec
>> ;; EDNS: version 0;
>> flags: do ; udp: 4096
>> ;; WHEN: Thu Jan 1
>> 01:00:00 1970
>> ;; MSG SIZE rcvd: 1017
>> 2018-01-29T11:12:35+0100 dnssec-triggerd[1461]: [1461] debug: close fd 11
>> 2018-01-29T11:12:35+0100 dnssec-triggerd[1461]: [1461] debug: probe NS1:
>> failed: no answer, NXDOMAIN in NSEC3
>>
>>
>> However NS2 receives different response:
>> 2018-01-29T11:12:35+0100 dnssec-triggerd[1461]: [1461] debug: ;;
>> ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 2430
>> ;; flags: qr rd cd ra ;
>> QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 0
>> ;; QUESTION SECTION:
>> ;; _probe.uk.com.
>> IN NULL
>>
>> ;; ANSWER SECTION:
>>
>> ;; AUTHORITY SECTION:
>> uk.com. 3600
>> IN SOA ns0.centralnic.net. hostmaster.centralnic.net.
>> 3000449728 900 1800 6048000 3600
>> uk.com. 3600
>> IN RRSIG SOA 7 2 3600 20180228193951 20180129080110 8049
>> uk.com.
>> LX/kFnpgfi2EZoeu74+kh9HyAaaA8aI9COoAXWFGRSjp1O3SdkjxWQ0aB7gB4B+03Z/ypDc3CGSb0KjPoxmDrgjhdNjtvfdlgqA3GbTFf4F4B4Bvhf9t2Iag5yNDcs1Rz2EiQpPVa5V/UwTR28FJ7tkAUCRyagy4XlZ4htxlKGY=
>>
>> t03nh0mhqgpsfg2luej9fs5l3lg37ptk.uk.com. 3600 IN
>> RRSIG NSEC3 7 3 3600 20180223084924 20180123220429 8049 uk.com.
>> urIQGlPD9o9GQ4wLNbzbgcdNgY6y9isrXpM1yM1yRxA9lPcQpN2Kk0gF0b6VYd/5QBd6UQA0Bt7nobOhpQIkLzDSH1rAkbreUGJWV4qSk/wKi5Ce2JlOBO4M7PDGMjuBS4Og5QWzunI2SmbORM9pVs5qMfzPDRqWvCGG7c0KfZA=
>>
>> t03nh0mhqgpsfg2luej9fs5l3lg37ptk.uk.com. 3600 IN
>> NSEC3 1 1 1 - t1g0ocvb4l8vpe39r869hutldjee9cql
>>
>> ;; ADDITIONAL SECTION:
>>
>> ;; Query time: 0 msec
>> ;; EDNS: version 0;
>> flags: do ; udp: 4096
>> ;; WHEN: Thu Jan 1
>> 01:00:00 1970
>> ;; MSG SIZE rcvd: 510
>> 2018-01-29T11:12:35+0100 dnssec-triggerd[1461]: [1461] debug: close fd 8
>> 2018-01-29T11:12:35+0100 dnssec-triggerd[1461]: [1461] debug: probe NS2:
>> NSEC3 completed successfully
>>
>>
>> Dne 23.1.2018 v 12:28 W.C.A. Wijngaards napsal(a):
>>> Hi Petr,
>>>
>>> On 23/01/18 12:17, Petr Menšík wrote:
>>>> Hello,
>>>>
>>>> I just tried new 0.15 dnssec-trigger. Once again there is problem with
>>>> domain chosen to make probes.
>>>>
>>>> $ dig @dns2.nic.uk. +norec +dnssec -t SOA uk.uk.
>>>>
>>>> returns NXDOMAIN.
>>>
>>> Yes, that is why it is there. To get an NSEC3 response.
>>>
>>>>
>>>> For that reason, gen_random_nsec3_dest probe "_probe.uk.uk." will always
>>>> fail if chosen. Manual dnssec-trigger-control reprobe might be required.
>>>
>>> No, it works to get an NSEC3 response.
>>>
>>>>
>>>> My question is same as the last time. How were that domains chosen?
>>>
>>> At random.
>> I did not think how is selected one from that array. I know it is
>> random. My question was more about how well were chosen values inside
>> that array. It seems to me it might be useful to make them configurable.
>>>
>>>>
>>>> I found it cannot be even registered again:
>>>> https://www.nominet.uk/whois/?query=uk.uk#whois-results
>>>
>>> That is a good reason to have picked it; i.e. no registerable domain to
>>> elicit NXDOMAIN responses.
>> No it is not, unless code is changed to handle this situation correctly.
>> Yes, it receive NSEC3 there. That is quite good. It is however for
>> unexpected zone, just uk. That is not handled by dnssec-trigger as
>> valid. I am not sure it should be in this case.
>>>
>>>>
>>>> Have been domain owners asked it is ok to use their domains?
>>>
>>> No, but if they wouldn't like it, we would of course pick some other
>>> NXDOMAIN response.
>> I am asking this, because there was similar issue with kr.com domain,
>> where it removed support for DNSSEC.
>>
>> Why isn't there any nlnetlabs domains? Is that because of anonymity? It
>> seems to me administrators of resolvers can guess I am using
>> dnssec-trigger from such queries. It would make sense to me to use some
>> domains, whose owners are aware of dnssec-trigger is using it.
>>>
>>> Best regards, Wouter
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> dnssec-trigger mailing list
>>> dnssec-trigger at NLnetLabs.nl
>>> https://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger
>>>
>>
>>
>>
>> _______________________________________________
>> dnssec-trigger mailing list
>> dnssec-trigger at NLnetLabs.nl
>> https://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger
>>
>
>
>
>
> _______________________________________________
> dnssec-trigger mailing list
> dnssec-trigger at NLnetLabs.nl
> https://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger
>
--
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com PGP: 65C6C973
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/dnssec-trigger/attachments/20180314/20aac423/attachment.bin>
More information about the dnssec-trigger
mailing list