Some sites not resolving (DNSSEC?)
Petr Špaček
petr.spacek at nic.cz
Wed May 23 16:09:14 UTC 2018
On 23.5.2018 15:58, Petr Špaček via Unbound-users wrote:
> On 23.5.2018 15:46, W.C.A. Wijngaards via Unbound-users wrote:
>> Hi Hank,
>>
>> On 23/05/18 15:23, Hank Barta via Unbound-users wrote:
>>> Hi all,
>>> I use pfsense for my firewall and have selected the unbound resolver for
>>> DNS on my home LAN. I have configured this to use Cloudflare DNS with
>>> DNSSEC enabled. In addition to checking the "Enable DNSSEC Support"
>>> checkbox on the DNS Resolver configuration page I have added the custom
>>> options
>>
>> The 1.1.1.1 server responds without DNSSEC for coder.show DS queries.
>> And for an insecure referral it needs DS denial information for type DS,
>> eg. the NSEC or NSEC3 from the .show TLD.
>>
>> Without the forward to 1.1.1.1 it works fine for me. So it doesn't seem
>> to be the .show TLD or coder.show site, but the 1.1.1.1 unsigned CNAME
>> for qtype DS.
>>
>> A workaround is domain-insecure: "coder.show" in unbound.conf
>
> This is most likely a bug in Knot Resolver and we are working on fix:
> https://gitlab.labs.nic.cz/knot/knot-resolver/issues/359
For the record:
We found out that domain coder.show is misconfigured in a way which
breaks even 30 years old DNS standards.
See this:
$ dig +dnssec @ns2.hover.com. coder.show DS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50641
;; flags: qr rd; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0
;; QUESTION SECTION:
;coder.show. IN DS
;; ANSWER SECTION:
coder.show. 900 IN CNAME hosted.fireside.fm.
$ dig +dnssec @ns2.hover.com. coder.show NS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24968
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
;; QUESTION SECTION:
;coder.show. IN NS
;; ANSWER SECTION:
coder.show. 900 IN NS ns2.hover.com.
coder.show. 900 IN NS ns1.hover.com.
I.e. this domain has CNAME at the apex which is violation of DNS
standards, namely
https://tools.ietf.org/html/rfc1034#section-3.6.2
Please contact domain owner and ask for a fix. (It seems that all the
domains mentioned in the ticket have the same issue.)
It might work elsewhere but this is not guaranteed (i.e. works
accidentally).
Thank you for understanding.
--
Petr Špaček @ CZ.NIC
More information about the Unbound-users
mailing list