Very strange DNSSEC validation failure affecting Unbound
max at nummer378.de
max at nummer378.de
Thu Jul 20 12:52:20 UTC 2023
Ah, I have found the issue. For reference, the following online tool
could also reproduce the failure:
https://unboundtest.com/m/A/local.magisystems.de/GOYTJ2DN
Their config is public: https://unboundtest.com/conf
I compared their config and mine and realized that at least two of the
affected Unbound installs had a protection against DNS rebind attacks
enabled:
private-address: 172.26.0.0/12 (+ other RFC1918 addresses)
The FQDN in question resolves to such a private IP address. If you do
not set an exception in Unbound, the rebind protection drops the
responses. This causes the SERVFAIL.
The error messages could be improved here (perhaps a more descriptive
EDE for this case), but now I know how to solve this (allow-list the
FQDN in question).
Many thanks,
Max
Am 20.07.2023 um 14:04 schrieb Havard Eidnes:
>> I've exhausted most of my options at this point, so I'm now asking
>> here. I've encountered one of the strangest DNSSEC issues I've ever
>> seen.
>>
>> Let's get straight to the point. One of the two affected FQDNs is:
>>
>> home.local.magisystems.de
>>
>> the other one is
>>
>> koenigsberg.local.magisystems.de
>>
>> If you try to resolve that using Unbound, with the validator module
>> enabled & trust anchors configured, you will get a SERVFAIL from
>> Unbound. If you also have EDE enabled, you will see:
>>
>> EDE: 10 (RRSIGs Missing): (validation failure
>> <home.local.magisystems.de. A IN>: no signatures from <...>)
>>
>> However, if you ask one of the nameservers directly, you will see that
>> the FQDN in question does have a proper RRSig:
> I'm unable to reproduce this with unbound 1.17.1:
>
> $ dig @dns-resolver2.uninett.no. koenigsberg.local.magisystems.de. a
>
> ; <<>> DiG 9.16.33 <<>> @dns-resolver2.uninett.no. koenigsberg.local.magisystems.de. a
> ; (2 servers found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58965
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ;; QUESTION SECTION:
> ;koenigsberg.local.magisystems.de. IN A
>
> ;; ANSWER SECTION:
> koenigsberg.local.magisystems.de. 3593 IN A 172.30.1.22
>
> ;; Query time: 0 msec
> ;; SERVER: 2001:700:0:ff00::2#53(2001:700:0:ff00::2)
> ;; WHEN: Thu Jul 20 13:59:05 CEST 2023
> ;; MSG SIZE rcvd: 77
>
> $ dig @dns-resolver2.uninett.no. home.local.magisystems.de. a
> ; <<>> DiG 9.16.33 <<>> @dns-resolver2.uninett.no. home.local.magisystems.de. a
> ; (2 servers found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25342
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ;; QUESTION SECTION:
> ;home.local.magisystems.de. IN A
>
> ;; ANSWER SECTION:
> home.local.magisystems.de. 3600 IN A 172.22.22.27
>
> ;; Query time: 43 msec
> ;; SERVER: 2001:700:0:ff00::2#53(2001:700:0:ff00::2)
> ;; WHEN: Thu Jul 20 13:59:24 CEST 2023
> ;; MSG SIZE rcvd: 70
>
> $
>
> $ dig @dns-resolver2.uninett.no. version.bind. chaos txt
>
> ; <<>> DiG 9.16.33 <<>> @dns-resolver2.uninett.no. version.bind. chaos txt
> ; (2 servers found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31450
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ;; QUESTION SECTION:
> ;version.bind. CH TXT
>
> ;; ANSWER SECTION:
> version.bind. 0 CH TXT "unbound 1.17.1"
>
> ;; Query time: 0 msec
> ;; SERVER: 2001:700:0:ff00::2#53(2001:700:0:ff00::2)
> ;; WHEN: Thu Jul 20 14:01:54 CEST 2023
> ;; MSG SIZE rcvd: 68
>
> $
>
> Also, I fed both domain names to https://dnsviz.net/, and they
> both get a clean bill of health.
>
> (...and they also resolve OK using BIND 9.18.17.)
>
> Regards,
>
> - Håvard
More information about the Unbound-users
mailing list