[Dnssec-trigger] uk.uk. failing probes

Petr Menšík pemensik at redhat.com
Wed Mar 14 12:56:17 UTC 2018


Thanks, that fixes occasional failures it seems. I did not think it
would be so simple change. Thanks a lot.

Dne 26.2.2018 v 14:49 W.C.A. Wijngaards napsal(a):
> Hi Petr,
> 
> I fixed it so that it allows type NXDOMAIN for the answer.  That should
> make the probes work.  The uk.uk. domain changed it's answers, but they
> are still NSEC3 answers, so we can continue to use that, but the code
> now allows the rcode NXDOMAIN as well.
> 
> Index: riggerd/probe.c
> ===================================================================
> --- riggerd/probe.c	(revision 762)
> +++ riggerd/probe.c	(working copy)
> @@ -490,7 +490,8 @@
>  	}
> 
>  	/* does DNS work? */
> -	if(ldns_pkt_get_rcode(p) != LDNS_RCODE_NOERROR) {
> +	if(ldns_pkt_get_rcode(p) != LDNS_RCODE_NOERROR &&
> +		ldns_pkt_get_rcode(p) != LDNS_RCODE_NXDOMAIN) {
>  		char* r = ldns_pkt_rcode2str(ldns_pkt_get_rcode(p));
>  		snprintf(reason, sizeof(reason), "no answer, %s",
>  			r?r:"(out of memory)");
> 
> Best regards, Wouter
> 
> 
> On 31/01/18 13:53, Petr Menšík wrote:
>> Hello Wouter,
>>
>> sure, that check there is there for negative answer. However it does
>> require different negative answer than it gets for uk.uk. It should
>> receive NOERROR response, but it does receive NXDOMAIN. That is received
>> because dig -t NS uk.uk. will return NXDOMAIN as well.
>>
>> This way, I get sometime results of
>>
>> $ dnssec-trigger-control status
>> cache <NS1>: error no answer, NXDOMAIN
>> cache <NS2>: OK
>> state: cache secure
>>
>> And only NS2 is used then as secure forwarder. If I had only single
>> resolver or had bad luck and it tried uk.uk on both resolvers, it would
>> disable DNSSEC on well working resolvers.
>>
>> $ unbound-control list_forwards
>> . IN forward <NS2>
>>
>> Because it uses workaround with public resolver, it might not be visible
>> right away. In our office are blocked direct DNS requests to internet,
>> so such failure is much more visible.
>>
>> This is somehow reproducible if you know where to look. It has 25%
>> probability to show up.
>>
>> The response it receives on my system is this:
>> 2018-01-29T11:12:35+0100 dnssec-triggerd[1461]: [1461] debug: ;;
>> ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 12668
>>                                                 ;; flags: qr rd cd ra ;
>> QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 0
>>                                                 ;; QUESTION SECTION:
>>                                                 ;; _probe.uk.uk.
>> IN        NULL
>>
>>                                                 ;; ANSWER SECTION:
>>
>>                                                 ;; AUTHORITY SECTION:
>>                                                 uk.        10778
>> IN        SOA        dns1.nic.uk. hostmaster.nic.uk. 1403554870 7200 900
>> 2419200 10800
>>                                                 uk.        10778
>> IN        RRSIG        SOA 8 1 172800 20180212101015 20180129091015
>> 43056 uk.
>> j4KTNjHJyIFpicmDExTyFslOxTH2ayaOop76x3Y6K4m9CWxbM7J9yK+Mzj1iHRxtKvXxUqArrPxcPmzZaJxhqVgj4mf9b6MOrxbMY4tyCve9USQLW+Fm3JY0fX32Z9VCSH6zJOMG8b5xyUDmQ36/hNv8GFfbwbaydO0KVQD5wNA=
>>
>> 4ICKPJJH422NL4DM0IM88FT62R1ICF2D.uk.        10778        IN        RRSIG
>>        NSEC3 8 2 10800 20180211232933 20180128225448 43056 uk.
>> j7VNrDP5MEqUmnvGtZ/PQf1iFWANsaQhIR3tJCZO8yJrZ6YmJn16wD27RblZgNcRU1PoCPNeBSiolhw/Ww5wVT3PlSeI97Oa/KP30mYYxr4Wqsjp+o7rDZEUzVY6lWBgKOBWz65JBjcQOi+Jabgyjm4xUjW6nIiUF5ORoCKRo18=
>>
>> 4ICKPJJH422NL4DM0IM88FT62R1ICF2D.uk.        10778        IN        NSEC3
>>        1 1 0 -  4ij9nhvbedk84b1ologpt9tgjj8127bm NS DS RRSIG
>>
>> U1FMKLFV3RDCNAMDC64SEKGCDP05BBIU.uk.        10778        IN        RRSIG
>>        NSEC3 8 2 10800 20180212063306 20180129055822 43056 uk.
>> KPDys4kmQVz2rG0Dk5MlYEi0A1CUREUK+gTqLd4DLDx4Lox0Ia/FY1c28Izr7hFL8GuOkFHoCMYE1IpzcorBQJ/ivQKkFlP5ibuvU70VsOvbpVYc5e3dizdgQZbeaenU0u5mRN4Jlxl9nTQyhuyLfpoJkBGAUYrifytMy++2WVc=
>>
>> U1FMKLFV3RDCNAMDC64SEKGCDP05BBIU.uk.        10778        IN        NSEC3
>>        1 1 0 -  u1lg7j6jo1nfsu55lon2umgeujo912tu NS SOA RRSIG DNSKEY
>> NSEC3PARAM TYPE65534
>>
>> UJ0TSI3JRONDQNT57QK2BP4O3EEIUVNS.uk.        10778        IN        RRSIG
>>        NSEC3 8 2 10800 20180212081816 20180129080542 43056 uk.
>> S+CI+50V3P3P0odOqrHFM9UqciqZV14PE5DhcYizFw0zdF0M2vpFUM9inJEUcsrI5H+vlcu0w7/itlf0IWTa3EHKDg/FgKStf5azJSOFGyQ8HI+bZ7r6U694dBut4Lvs3jZOtx77L0yMjZxNBxOQhFS2IQVelQvJQz8ID9ux6eI=
>>
>> UJ0TSI3JRONDQNT57QK2BP4O3EEIUVNS.uk.        10778        IN        NSEC3
>>        1 1 0 -  ujigh3977hiahq1bj8659m81tf4etiko NS DS RRSIG
>>
>>                                                 ;; ADDITIONAL SECTION:
>>
>>                                                 ;; Query time: 0 msec
>>                                                 ;; EDNS: version 0;
>> flags: do ; udp: 4096
>>                                                 ;; WHEN: Thu Jan  1
>> 01:00:00 1970
>>                                                 ;; MSG SIZE  rcvd: 1017
>> 2018-01-29T11:12:35+0100 dnssec-triggerd[1461]: [1461] debug: close fd 11
>> 2018-01-29T11:12:35+0100 dnssec-triggerd[1461]: [1461] debug: probe NS1:
>> failed: no answer, NXDOMAIN in NSEC3
>>
>>
>> However NS2 receives different response:
>> 2018-01-29T11:12:35+0100 dnssec-triggerd[1461]: [1461] debug: ;;
>> ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 2430
>>                                                 ;; flags: qr rd cd ra ;
>> QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 0
>>                                                 ;; QUESTION SECTION:
>>                                                 ;; _probe.uk.com.
>> IN        NULL
>>
>>                                                 ;; ANSWER SECTION:
>>
>>                                                 ;; AUTHORITY SECTION:
>>                                                 uk.com.        3600
>>   IN        SOA        ns0.centralnic.net. hostmaster.centralnic.net.
>> 3000449728 900 1800 6048000 3600
>>                                                 uk.com.        3600
>>   IN        RRSIG        SOA 7 2 3600 20180228193951 20180129080110 8049
>> uk.com.
>> LX/kFnpgfi2EZoeu74+kh9HyAaaA8aI9COoAXWFGRSjp1O3SdkjxWQ0aB7gB4B+03Z/ypDc3CGSb0KjPoxmDrgjhdNjtvfdlgqA3GbTFf4F4B4Bvhf9t2Iag5yNDcs1Rz2EiQpPVa5V/UwTR28FJ7tkAUCRyagy4XlZ4htxlKGY=
>>
>> t03nh0mhqgpsfg2luej9fs5l3lg37ptk.uk.com.        3600        IN
>> RRSIG        NSEC3 7 3 3600 20180223084924 20180123220429 8049 uk.com.
>> urIQGlPD9o9GQ4wLNbzbgcdNgY6y9isrXpM1yM1yRxA9lPcQpN2Kk0gF0b6VYd/5QBd6UQA0Bt7nobOhpQIkLzDSH1rAkbreUGJWV4qSk/wKi5Ce2JlOBO4M7PDGMjuBS4Og5QWzunI2SmbORM9pVs5qMfzPDRqWvCGG7c0KfZA=
>>
>> t03nh0mhqgpsfg2luej9fs5l3lg37ptk.uk.com.        3600        IN
>> NSEC3        1 1 1 -  t1g0ocvb4l8vpe39r869hutldjee9cql
>>
>>                                                 ;; ADDITIONAL SECTION:
>>
>>                                                 ;; Query time: 0 msec
>>                                                 ;; EDNS: version 0;
>> flags: do ; udp: 4096
>>                                                 ;; WHEN: Thu Jan  1
>> 01:00:00 1970
>>                                                 ;; MSG SIZE  rcvd: 510
>> 2018-01-29T11:12:35+0100 dnssec-triggerd[1461]: [1461] debug: close fd 8
>> 2018-01-29T11:12:35+0100 dnssec-triggerd[1461]: [1461] debug: probe NS2:
>> NSEC3 completed successfully
>>
>>
>> Dne 23.1.2018 v 12:28 W.C.A. Wijngaards napsal(a):
>>> Hi Petr,
>>>
>>> On 23/01/18 12:17, Petr Menšík wrote:
>>>> Hello,
>>>>
>>>> I just tried new 0.15 dnssec-trigger. Once again there is problem with
>>>> domain chosen to make probes.
>>>>
>>>> $ dig @dns2.nic.uk. +norec +dnssec -t SOA uk.uk.
>>>>
>>>> returns NXDOMAIN.
>>>
>>> Yes, that is why it is there.  To get an NSEC3 response.
>>>
>>>>
>>>> For that reason, gen_random_nsec3_dest probe "_probe.uk.uk." will always
>>>> fail if chosen. Manual dnssec-trigger-control reprobe might be required.
>>>
>>> No, it works to get an NSEC3 response.
>>>
>>>>
>>>> My question is same as the last time. How were that domains chosen?
>>>
>>> At random.
>> I did not think how is selected one from that array. I know it is
>> random. My question was more about how well were chosen values inside
>> that array. It seems to me it might be useful to make them configurable.
>>>
>>>>
>>>> I found it cannot be even registered again:
>>>> https://www.nominet.uk/whois/?query=uk.uk#whois-results
>>>
>>> That is a good reason to have picked it; i.e. no registerable domain to
>>> elicit NXDOMAIN responses.
>> No it is not, unless code is changed to handle this situation correctly.
>> Yes, it receive NSEC3 there. That is quite good. It is however for
>> unexpected zone, just uk. That is not handled by dnssec-trigger as
>> valid. I am not sure it should be in this case.
>>>
>>>>
>>>> Have been domain owners asked it is ok to use their domains?
>>>
>>> No, but if they wouldn't like it, we would of course pick some other
>>> NXDOMAIN response.
>> I am asking this, because there was similar issue with kr.com domain,
>> where it removed support for DNSSEC.
>>
>> Why isn't there any nlnetlabs domains? Is that because of anonymity? It
>> seems to me administrators of resolvers can guess I am using
>> dnssec-trigger from such queries. It would make sense to me to use some
>> domains, whose owners are aware of dnssec-trigger is using it.
>>>
>>> Best regards, Wouter
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> dnssec-trigger mailing list
>>> dnssec-trigger at NLnetLabs.nl
>>> https://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger
>>>
>>
>>
>>
>> _______________________________________________
>> dnssec-trigger mailing list
>> dnssec-trigger at NLnetLabs.nl
>> https://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger
>>
> 
> 
> 
> 
> _______________________________________________
> dnssec-trigger mailing list
> dnssec-trigger at NLnetLabs.nl
> https://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger
> 

-- 
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com  PGP: 65C6C973

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/dnssec-trigger/attachments/20180314/20aac423/attachment.bin>


More information about the dnssec-trigger mailing list