unwind reports no signature or no DNSSEC

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

unwind reports no signature or no DNSSEC

Solene Rapenne
I re-enabled unwind today (i was using append instead of prepend in
dhclient.conf) and I got a few issues resolving domains, often the first
time, if I try again I get a result. I'm pretty sure it's not a bug, but
I have no idea what's happening here, so maybe log output or
documentation could be enhanced.


From /var/log/messages (192.168.1.254 is dns from my dhcp)

Feb  3 17:55:44 solene unwind[18044]: validation failure <ocsp.int-x3.letsencrypt.org. A IN>: no signatures from 192.168.1.254 for key org. while building chain of trust
Feb  3 18:05:10 solene unwind[18044]: validation failure <google.fr. A IN>: no DNSSEC records from 192.168.1.254 for DS google.fr. while building chain of trust
Feb  3 18:05:18 solene unwind[18044]: validation failure <google.it. A IN>: no signatures from 192.168.1.254 for DS it. while building chain of trust


doing a dig on a domain and failing

solene@computer ~ $ dig google.it

; <<>> dig 9.10.8-P1 <<>> google.it
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 12190
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.it.                     IN      A

;; Query time: 181 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Feb 03 18:05:18 CET 2020
;; MSG SIZE  rcvd: 38


solene@computer ~ $ unwindctl status
1. recursor        validating, 150ms   3. stub             resolving,  30ms
2. dhcp            validating, 150ms   4. oDoT-dhcp             dead,   N/A

                      histograms: lifetime[ms], decaying[ms]
         <10   <20   <40   <60   <80  <100  <200  <400  <600  <800 <1000     >
  rec    601     0    58    25    42    37    96   106    19    14    11    28
          11     0     1     1     1     1     5     4     0     0     0     2
 dhcp    356     0    60    39     3     2    42    32     8     2     1     0
          10     0     2     2     0     0     3     1     0     0     0     0
 stub      2     0   129    13     2     0    14     9     2     1     0     0
           0     0     1     0     0     0     0     0     0     0     0     0
dhcp*      0     0     0     0     0     0     0     0     0     0     0     0
           0     0     0     0     0     0     0     0     0     0     0     0


I can't tell from logs and status if I'm doing recursive or dhcp
forwarder requests.




dmesg

OpenBSD 6.6-current (GENERIC.MP) #23: Thu Jan 30 19:25:54 CET 2020
    [hidden email]:/sys/arch/amd64/compile/GENERIC.MP
real mem = 8323534848 (7937MB)
avail mem = 8058777600 (7685MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 3.0 @ 0xaf07e000 (63 entries)
bios0: vendor LENOVO version "N24ET51W (1.26 )" date 08/30/2019
bios0: LENOVO 20L5CTO1WW
acpi0 at bios0: ACPI 5.0
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP SSDT SSDT TPM2 UEFI SSDT SSDT HPET APIC MCFG ECDT SSDT SSDT SSDT BOOT BATB SLIC SSDT SSDT SSDT LPIT WSMT SSDT SSDT SSDT DBGP DBG2 MSDM DMAR ASF! FPDT UEFI BGRT
acpi0: wakeup devices GLAN(S4) XHC_(S3) XDCI(S4) HDAS(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) PXSX(S4) RP05(S4) PXSX(S4) RP06(S4) PXSX(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 23999999 Hz
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz, 1696.83 MHz, 06-8e-0a
cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 24MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1.1.1, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz, 1696.06 MHz, 06-8e-0a
cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz, 1696.06 MHz, 06-8e-0a
cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 6 (application processor)
cpu3: Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz, 1696.06 MHz, 06-8e-0a
cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 0, core 3, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec00000, version 20, 120 pins
acpimcfg0 at acpi0
acpimcfg0: addr 0xf8000000, bus 0-63
acpiec0 at acpi0
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (RP01)
acpiprt2 at acpi0: bus -1 (RP02)
acpiprt3 at acpi0: bus -1 (RP03)
acpiprt4 at acpi0: bus -1 (RP04)
acpiprt5 at acpi0: bus -1 (RP05)
acpiprt6 at acpi0: bus -1 (RP06)
acpiprt7 at acpi0: bus 3 (RP07)
acpiprt8 at acpi0: bus -1 (RP08)
acpiprt9 at acpi0: bus 4 (RP09)
acpiprt10 at acpi0: bus -1 (RP10)
acpiprt11 at acpi0: bus 61 (RP11)
acpiprt12 at acpi0: bus -1 (RP12)
acpiprt13 at acpi0: bus -1 (RP13)
acpiprt14 at acpi0: bus -1 (RP14)
acpiprt15 at acpi0: bus -1 (RP15)
acpiprt16 at acpi0: bus -1 (RP16)
acpiprt17 at acpi0: bus -1 (RP17)
acpiprt18 at acpi0: bus -1 (RP18)
acpiprt19 at acpi0: bus -1 (RP19)
acpiprt20 at acpi0: bus -1 (RP20)
acpiprt21 at acpi0: bus -1 (RP21)
acpiprt22 at acpi0: bus -1 (RP22)
acpiprt23 at acpi0: bus -1 (RP23)
acpiprt24 at acpi0: bus -1 (RP24)
acpicpu0 at acpi0: C3(200@1034 mwait.1@0x60), C2(200@151 mwait.1@0x33), C1(1000@1 mwait.1), PSS
acpicpu1 at acpi0: C3(200@1034 mwait.1@0x60), C2(200@151 mwait.1@0x33), C1(1000@1 mwait.1), PSS
acpicpu2 at acpi0: C3(200@1034 mwait.1@0x60), C2(200@151 mwait.1@0x33), C1(1000@1 mwait.1), PSS
acpicpu3 at acpi0: C3(200@1034 mwait.1@0x60), C2(200@151 mwait.1@0x33), C1(1000@1 mwait.1), PSS
acpipwrres0 at acpi0: PUBS, resource for XHC_
acpitz0 at acpi0: critical temperature is 128 degC
acpipci0 at acpi0 PCI0: 0x00000000 0x00000011 0x00000001
acpithinkpad0 at acpi0: version 2.0
acpiac0 at acpi0: AC unit online
acpibat0 at acpi0: BAT0 model "01AV489" serial  1098 type LiP oem "LGC"
acpibat1 at acpi0: BAT1 model "01AV490" serial  2833 type LiP oem "LGC"
"LEN0100" at acpi0 not configured
"INT3403" at acpi0 not configured
acpicmos0 at acpi0
"INT0E0C" at acpi0 not configured
acpibtn0 at acpi0: SLPB
"PNP0C14" at acpi0 not configured
acpibtn1 at acpi0: LID_
"PNP0C14" at acpi0 not configured
"PNP0C14" at acpi0 not configured
"PNP0C14" at acpi0 not configured
"INT3400" at acpi0 not configured
"STM7304" at acpi0 not configured
acpivideo0 at acpi0: GFX0
acpivout0 at acpivideo0: DD1F
cpu0: using VERW MDS workaround (except on vmm entry)
cpu0: Enhanced SpeedStep 1696 MHz: speeds: 2001, 2000, 1900, 1800, 1700, 1500, 1400, 1300, 1200, 1100, 1000, 800, 700, 600, 500, 400 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Core 8G Host" rev 0x08
inteldrm0 at pci0 dev 2 function 0 "Intel UHD Graphics 620" rev 0x07
drm0 at inteldrm0
inteldrm0: msi
"Intel Core 6G Thermal" rev 0x08 at pci0 dev 4 function 0 not configured
"Intel Core GMM" rev 0x00 at pci0 dev 8 function 0 not configured
xhci0 at pci0 dev 20 function 0 "Intel 100 Series xHCI" rev 0x21: msi, xHCI 1.0
usb0 at xhci0: USB revision 3.0
uhub0 at usb0 configuration 1 interface 0 "Intel xHCI root hub" rev 3.00/1.00 addr 1
pchtemp0 at pci0 dev 20 function 2 "Intel 100 Series Thermal" rev 0x21
dwiic0 at pci0 dev 21 function 0 "Intel 100 Series I2C" rev 0x21: apic 2 int 16
iic0 at dwiic0
"Intel 100 Series MEI" rev 0x21 at pci0 dev 22 function 0 not configured
ppb0 at pci0 dev 28 function 0 "Intel 100 Series PCIE" rev 0xf1: msi
pci1 at ppb0 bus 1
ppb1 at pci0 dev 28 function 6 "Intel 100 Series PCIE" rev 0xf1: msi
pci2 at ppb1 bus 3
iwm0 at pci2 dev 0 function 0 "Intel Dual Band Wireless-AC 8265" rev 0x78, msi
ppb2 at pci0 dev 29 function 0 "Intel 100 Series PCIE" rev 0xf1
pci3 at ppb2 bus 4
ppb3 at pci0 dev 29 function 2 "Intel 100 Series PCIE" rev 0xf1: msi
pci4 at ppb3 bus 61
nvme0 at pci4 dev 0 function 0 "Samsung SM981/PM981 NVMe" rev 0x00: msix, NVMe 1.2
nvme0: SAMSUNG MZVLB512HAJQ-000L7, firmware 3L2QEXA7, serial S3TNNF0K510294
scsibus1 at nvme0: 2 targets, initiator 0
sd0 at scsibus1 targ 1 lun 0: <NVMe, SAMSUNG MZVLB512, 3L2Q>
sd0: 488386MB, 512 bytes/sector, 1000215216 sectors
pcib0 at pci0 dev 31 function 0 "Intel 200 Series LPC" rev 0x21
"Intel 100 Series PMC" rev 0x21 at pci0 dev 31 function 2 not configured
azalia0 at pci0 dev 31 function 3 "Intel 200 Series HD Audio" rev 0x21: msi
azalia0: codecs: Realtek/0x0257, Intel/0x280b, using Realtek/0x0257
audio0 at azalia0
ichiic0 at pci0 dev 31 function 4 "Intel 100 Series SMBus" rev 0x21: apic 2 int 16
iic1 at ichiic0
em0 at pci0 dev 31 function 6 "Intel I219-V" rev 0x21: msi, address 8c:16:45:9b:c9:fe
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard
pms0 at pckbc0 (aux slot)
wsmouse0 at pms0 mux 0
wsmouse1 at pms0 mux 0
pms0: Synaptics clickpad, firmware 8.16, 0x1e2b1 0x940300
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
vmm0 at mainbus0: VMX/EPT
efifb at mainbus0 not configured
ugen0 at uhub0 port 3 "Generic EMV Smartcard Reader" rev 2.01/1.20 addr 2
uvideo0 at uhub0 port 8 configuration 1 interface 0 "Chicony Electronics Co.,Ltd. Integrated Camera" rev 2.01/0.27 addr 3
video0 at uvideo0
umass0 at uhub0 port 15 configuration 1 interface 0 "Generic USB3.0-CRW" rev 3.00/2.04 addr 4
umass0: using SCSI over Bulk-Only
scsibus2 at umass0: 2 targets, initiator 0
sd1 at scsibus2 targ 1 lun 0: <Generic-, SD/MMC, 1.00> removable serial.0bda0316501030900000
vscsi0 at root
scsibus3 at vscsi0: 256 targets
softraid0 at root
scsibus4 at softraid0: 256 targets
sd2 at scsibus4 targ 1 lun 0: <OPENBSD, SR CRYPTO, 006>
sd2: 488385MB, 512 bytes/sector, 1000213601 sectors
root on sd2a (52fdd1ce48744600.a) swap on sd2b dump on sd2b
inteldrm0: 1920x1080, 32bpp
wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation), using wskbd0
wsdisplay0: screen 1-5 added (std, vt100 emulation)
iwm0: hw rev 0x230, fw ver 34.0.1, address b4:6b:fc:f3:e4:13
acpivideo0: unknown event 0x00
ugen0 detached
video0 detached
uvideo0 detached
sd1 detached
scsibus2 detached
umass0 detached
uhub0 detached
uhub0 at usb0 configuration 1 interface 0 "Intel xHCI root hub" rev 3.00/1.00 addr 1
ugen0 at uhub0 port 3 "Generic EMV Smartcard Reader" rev 2.01/1.20 addr 2
ugen0: setting configuration index 0 failed
uvideo0 at uhub0 port 8 configuration 1 interface 0 "Chicony Electronics Co.,Ltd. Integrated Camera" rev 2.01/0.27 addr 3
video0 at uvideo0
umass0 at uhub0 port 15 configuration 1 interface 0 "Generic USB3.0-CRW" rev 3.00/2.04 addr 4
umass0: using SCSI over Bulk-Only
scsibus2 at umass0: 2 targets, initiator 0
sd1 at scsibus2 targ 1 lun 0: <Generic-, SD/MMC, 1.00> removable serial.0bda0316501030900000
ugen1 at uhub0 port 1 "bq Aquaris X" rev 2.00/3.18 addr 5
ugen1 detached
acpivideo0: unknown event 0x00
ugen0 detached
video0 detached
uvideo0 detached
sd1 detached
scsibus2 detached
umass0 detached
uhub0 detached
uhub0 at usb0 configuration 1 interface 0 "Intel xHCI root hub" rev 3.00/1.00 addr 1
ugen0 at uhub0 port 3 "Generic EMV Smartcard Reader" rev 2.01/1.20 addr 2
uvideo0 at uhub0 port 8 configuration 1 interface 0 "Chicony Electronics Co.,Ltd. Integrated Camera" rev 2.01/0.27 addr 3
video0 at uvideo0
umass0 at uhub0 port 15 configuration 1 interface 0 "Generic USB3.0-CRW" rev 3.00/2.04 addr 4
umass0: using SCSI over Bulk-Only
scsibus2 at umass0: 2 targets, initiator 0
sd1 at scsibus2 targ 1 lun 0: <Generic-, SD/MMC, 1.00> removable serial.0bda0316501030900000
acpivideo0: unknown event 0x00
ugen0 detached
video0 detached
uvideo0 detached
sd1 detached
scsibus2 detached
umass0 detached
uhub0 detached
uhub0 at usb0 configuration 1 interface 0 "Intel xHCI root hub" rev 3.00/1.00 addr 1
ugen0 at uhub0 port 3 "Generic EMV Smartcard Reader" rev 2.01/1.20 addr 2
ugen0: setting configuration index 0 failed
uvideo0 at uhub0 port 8 configuration 1 interface 0 "Chicony Electronics Co.,Ltd. Integrated Camera" rev 2.01/0.27 addr 3
video0 at uvideo0
umass0 at uhub0 port 15 configuration 1 interface 0 "Generic USB3.0-CRW" rev 3.00/2.04 addr 4
umass0: using SCSI over Bulk-Only
scsibus2 at umass0: 2 targets, initiator 0
sd1 at scsibus2 targ 1 lun 0: <Generic-, SD/MMC, 1.00> removable serial.0bda0316501030900000
acpivideo0: unknown event 0x00

Reply | Threaded
Open this post in threaded view
|

Re: unwind reports no signature or no DNSSEC

Florian Obser-2
On Mon, Feb 03, 2020 at 06:16:54PM +0100, Solene Rapenne wrote:

> I re-enabled unwind today (i was using append instead of prepend in
> dhclient.conf) and I got a few issues resolving domains, often the first
> time, if I try again I get a result. I'm pretty sure it's not a bug, but
> I have no idea what's happening here, so maybe log output or
> documentation could be enhanced.
>
>
> From /var/log/messages (192.168.1.254 is dns from my dhcp)
>
> Feb  3 17:55:44 solene unwind[18044]: validation failure <ocsp.int-x3.letsencrypt.org. A IN>: no signatures from 192.168.1.254 for key org. while building chain of trust
> Feb  3 18:05:10 solene unwind[18044]: validation failure <google.fr. A IN>: no DNSSEC records from 192.168.1.254 for DS google.fr. while building chain of trust
> Feb  3 18:05:18 solene unwind[18044]: validation failure <google.it. A IN>: no signatures from 192.168.1.254 for DS it. while building chain of trust
>

Looks like your dhcp nameserver strips DNSSEC in a weird way.
Can you please show

dig @192.168.1.254 +dnssec . SOA
and
dig @192.168.1.254 org DNSKEY

--
I'm not entirely sure you are real.

Reply | Threaded
Open this post in threaded view
|

Re: unwind reports no signature or no DNSSEC

Solene Rapenne
On Mon, Feb 03, 2020 at 07:52:29PM +0100, Florian Obser wrote:

> On Mon, Feb 03, 2020 at 06:16:54PM +0100, Solene Rapenne wrote:
> > I re-enabled unwind today (i was using append instead of prepend in
> > dhclient.conf) and I got a few issues resolving domains, often the first
> > time, if I try again I get a result. I'm pretty sure it's not a bug, but
> > I have no idea what's happening here, so maybe log output or
> > documentation could be enhanced.
> >
> >
> > From /var/log/messages (192.168.1.254 is dns from my dhcp)
> >
> > Feb  3 17:55:44 solene unwind[18044]: validation failure <ocsp.int-x3.letsencrypt.org. A IN>: no signatures from 192.168.1.254 for key org. while building chain of trust
> > Feb  3 18:05:10 solene unwind[18044]: validation failure <google.fr. A IN>: no DNSSEC records from 192.168.1.254 for DS google.fr. while building chain of trust
> > Feb  3 18:05:18 solene unwind[18044]: validation failure <google.it. A IN>: no signatures from 192.168.1.254 for DS it. while building chain of trust
> >
>
> Looks like your dhcp nameserver strips DNSSEC in a weird way.
> Can you please show
>
> dig @192.168.1.254 +dnssec . SOA
> and
> dig @192.168.1.254 org DNSKEY
>
> --
> I'm not entirely sure you are real.
>

sure :)

solene@t480 ~ $ dig @192.168.1.254 +dnssec . SOA

; <<>> dig 9.10.8-P1 <<>> @192.168.1.254 +dnssec . SOA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63346
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;.                              IN      SOA

;; ANSWER SECTION:
.                       84857   IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2020020301 1800 900 604800 86400

;; Query time: 25 msec
;; SERVER: 192.168.1.254#53(192.168.1.254)
;; WHEN: Mon Feb 03 19:54:35 CET 2020
;; MSG SIZE  rcvd: 103

solene@t480 ~ $ dig @192.168.1.254 org DNSKEY

; <<>> dig 9.10.8-P1 <<>> @192.168.1.254 org DNSKEY
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25574
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;org.                           IN      DNSKEY

;; ANSWER SECTION:
org.                    401     IN      DNSKEY  257 3 7 AwEAAcMnWBKLuvG/LwnPVykcmpvnntwxfshHlHRhlY0F3oz8AMcuF8gw 9McCw+BoC2YxWaiTpNPuxjSNhUlBtcJmcdkz3/r7PIn0oDf14ept1Y9p dPh8SbIBIWx50ZPfVRlj8oQXv2Y6yKiQik7bi3MT37zMRU2kw2oy3cgr sGAzGN4s/C6SFYon5N1Q2O4hGDbeOq538kATOy0GFELjuauV9guX/431 msYu4Rgb5lLuQ3Mx5FSIxXpI/RaAn2mhM4nEZ/5IeRPKZVGydcuLBS8G ZlxW4qbb8MgRZ8bwMg0pqWRHmhirGmJIt3UuzvN1pSFBfX7ysI9PPhSn wXCNDXk0kk0=
org.                    401     IN      DNSKEY  256 3 7 AwEAAckRQFGzYbS2OQXpXbXyQqxq+hQ6duZa7HRI9RWfzyKh+cQHSYl2 1tqYKEvc6+9UFqf/iWnM8w2M4kQdd/hF8FdWfp7gPLzX7KYcdzR7Vgzf pQA184R+GR3T/S4wJggIi97xBO+dptwp40sTyg9ItA1adGVSs+hjRW3C uKvobENn
org.                    401     IN      DNSKEY  256 3 7 AwEAAc2YgUjigNpgbsmzLkHyamRd31OOchY1kRkYDhPyufgiM9KiqujZ U53x9qEhq465qf6IgdKxWeYQMk+Glw49IHRx1hvdxjn6Gfjc/96uH5cv khEV38SvuDeZOzbNkJK0BvYo6Hck4lCSjJ1Wl2n1Mjguba0lEo8haWdJ MJS1D603
org.                    401     IN      DNSKEY  257 3 7 AwEAAZTjbIO5kIpxWUtyXc8avsKyHIIZ+LjC2Dv8naO+Tz6X2fqzDC1b dq7HlZwtkaqTkMVVJ+8gE9FIreGJ4c8G1GdbjQgbP1OyYIG7OHTc4hv5 T2NlyWr6k6QFz98Q4zwFIGTFVvwBhmrMDYsOTtXakK6QwHovA1+83BsU ACxlidpwB0hQacbD6x+I2RCDzYuTzj64Jv0/9XsX6AYV3ebcgn4hL1jI R2eJYyXlrAoWxdzxcW//5yeL5RVWuhRxejmnSVnCuxkfS4AQ485KH2tp dbWcCopLJZs6tw8q3jWcpTGzdh/v3xdYfNpQNcPImFlxAun3BtORPA2r 8ti6MNoJEHU=

;; Query time: 26 msec
;; SERVER: 192.168.1.254#53(192.168.1.254)
;; WHEN: Mon Feb 03 19:54:42 CET 2020
;; MSG SIZE  rcvd: 880


Reply | Threaded
Open this post in threaded view
|

Re: unwind reports no signature or no DNSSEC

Florian Obser-2
On Mon, Feb 03, 2020 at 07:58:24PM +0100, Solene Rapenne wrote:

> On Mon, Feb 03, 2020 at 07:52:29PM +0100, Florian Obser wrote:
> > On Mon, Feb 03, 2020 at 06:16:54PM +0100, Solene Rapenne wrote:
> > > I re-enabled unwind today (i was using append instead of prepend in
> > > dhclient.conf) and I got a few issues resolving domains, often the first
> > > time, if I try again I get a result. I'm pretty sure it's not a bug, but
> > > I have no idea what's happening here, so maybe log output or
> > > documentation could be enhanced.
> > >
> > >
> > > From /var/log/messages (192.168.1.254 is dns from my dhcp)
> > >
> > > Feb  3 17:55:44 solene unwind[18044]: validation failure <ocsp.int-x3.letsencrypt.org. A IN>: no signatures from 192.168.1.254 for key org. while building chain of trust
> > > Feb  3 18:05:10 solene unwind[18044]: validation failure <google.fr. A IN>: no DNSSEC records from 192.168.1.254 for DS google.fr. while building chain of trust
> > > Feb  3 18:05:18 solene unwind[18044]: validation failure <google.it. A IN>: no signatures from 192.168.1.254 for DS it. while building chain of trust
> > >
> >
> > Looks like your dhcp nameserver strips DNSSEC in a weird way.
> > Can you please show
> >
> > dig @192.168.1.254 +dnssec . SOA
> > and
> > dig @192.168.1.254 org DNSKEY
> >
> > --
> > I'm not entirely sure you are real.
> >
>
> sure :)
>
> solene@t480 ~ $ dig @192.168.1.254 +dnssec . SOA
>
> ; <<>> dig 9.10.8-P1 <<>> @192.168.1.254 +dnssec . SOA
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63346
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;.                              IN      SOA
>
> ;; ANSWER SECTION:
> .                       84857   IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2020020301 1800 900 604800 86400
>
> ;; Query time: 25 msec
> ;; SERVER: 192.168.1.254#53(192.168.1.254)
> ;; WHEN: Mon Feb 03 19:54:35 CET 2020
> ;; MSG SIZE  rcvd: 103
>

for the archives: 192.168.1.254 is stripping rrsigs but unwind thinks
dhcp is validating. This is wrong and we need to figure out why.

--
I'm not entirely sure you are real.

Reply | Threaded
Open this post in threaded view
|

Re: unwind reports no signature or no DNSSEC

Raf Czlonka-2
On Mon, Feb 03, 2020 at 07:29:02PM GMT, Florian Obser wrote:

> On Mon, Feb 03, 2020 at 07:58:24PM +0100, Solene Rapenne wrote:
> > On Mon, Feb 03, 2020 at 07:52:29PM +0100, Florian Obser wrote:
> > > On Mon, Feb 03, 2020 at 06:16:54PM +0100, Solene Rapenne wrote:
> > > > I re-enabled unwind today (i was using append instead of prepend in
> > > > dhclient.conf) and I got a few issues resolving domains, often the first
> > > > time, if I try again I get a result. I'm pretty sure it's not a bug, but
> > > > I have no idea what's happening here, so maybe log output or
> > > > documentation could be enhanced.
> > > >
> > > >
> > > > From /var/log/messages (192.168.1.254 is dns from my dhcp)
> > > >
> > > > Feb  3 17:55:44 solene unwind[18044]: validation failure <ocsp.int-x3.letsencrypt.org. A IN>: no signatures from 192.168.1.254 for key org. while building chain of trust
> > > > Feb  3 18:05:10 solene unwind[18044]: validation failure <google.fr. A IN>: no DNSSEC records from 192.168.1.254 for DS google.fr. while building chain of trust
> > > > Feb  3 18:05:18 solene unwind[18044]: validation failure <google.it. A IN>: no signatures from 192.168.1.254 for DS it. while building chain of trust
> > > >
> > >
> > > Looks like your dhcp nameserver strips DNSSEC in a weird way.
> > > Can you please show
> > >
> > > dig @192.168.1.254 +dnssec . SOA
> > > and
> > > dig @192.168.1.254 org DNSKEY
> > >
> > > --
> > > I'm not entirely sure you are real.
> > >
> >
> > sure :)
> >
> > solene@t480 ~ $ dig @192.168.1.254 +dnssec . SOA
> >
> > ; <<>> dig 9.10.8-P1 <<>> @192.168.1.254 +dnssec . SOA
> > ; (1 server found)
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63346
> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> >
> > ;; OPT PSEUDOSECTION:
> > ; EDNS: version: 0, flags:; udp: 4096
> > ;; QUESTION SECTION:
> > ;.                              IN      SOA
> >
> > ;; ANSWER SECTION:
> > .                       84857   IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2020020301 1800 900 604800 86400
> >
> > ;; Query time: 25 msec
> > ;; SERVER: 192.168.1.254#53(192.168.1.254)
> > ;; WHEN: Mon Feb 03 19:54:35 CET 2020
> > ;; MSG SIZE  rcvd: 103
> >
>
> for the archives: 192.168.1.254 is stripping rrsigs but unwind thinks
> dhcp is validating. This is wrong and we need to figure out why.
>

Hi all,

I've been having similar (the same?) issues since at least mid-to-late
December. I hadn't a chance to diagnose it properly hence sending
an email only now to confirm Solene's isn't an isolated case.

Unlike Solene, I would have to restart unwind to get it resolving.

Not sure whether the first line is at all significant - I've seen
it only three times since December.

        Dec 25 05:17:07 rose unwind[83579]: [83579:0] error: outgoing tcp: connect: Permission denied for 194.168.8.100 port 853
        Dec 26 16:22:44 rose unwind[83579]: validation failure <cdn.openbsd.org. A IN>: key for validation org. is marked as invalid because of a previous validation failure <cdn.openbsd.org. A IN>: no signatures from 194.168.8.100 for key org. while building chain of trust
        Dec 26 16:22:58 rose unwind[48598]: dhcp: validation failure <. NS IN>: no signatures from 194.168.8.100 for trust anchor . while building chain of trust

This is the current status of unwind (yesterday's snapshot):

        $ unwindctl status
        1. recursor        validating,  70ms   3. dhcp             resolving, 150ms
        2. stub             resolving,  70ms   4. oDoT-dhcp             dead,   N/A

                              histograms: lifetime[ms], decaying[ms]
                 <10   <20   <40   <60   <80  <100  <200  <400  <600  <800 <1000     >
          rec  14125    98  1489  1070   667   608  1683  1025   288   176   117   245
                  95     1    14     7     7     5    12     5     2     2     1     1
         stub      0   168   378   183    91    75   509   183    46    38    25    53
                   0     2     5     2     0     1     6     1     0     1     0     0
         dhcp     20   118   536   288   205   130   854   396    51    43    38    60
                   0     0     1     2     1     0     5     2     1     0     0     0
        dhcp*      0     0     0     0     0     0     0     0     0     0     0     0
                   0     0     0     0     0     0     0     0     0     0     0     0

        $ unwindctl status memory
        msg-cache:   192106 / 1048576 (18.32%)
        rrset-cache: 742342 / 1048576 (70.80%)
        key-cache: 118824 / 1048576 (11.33%)
        neg-cache: 54613 / 102400 (53.33%)

        $ dig @194.168.8.100 +dnssec . SOA

        ; <<>> dig 9.10.8-P1 <<>> @194.168.8.100 +dnssec . SOA
        ; (1 server found)
        ;; global options: +cmd
        ;; Got answer:
        ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30608
        ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

        ;; OPT PSEUDOSECTION:
        ; EDNS: version: 0, flags: do; udp: 512
        ;; QUESTION SECTION:
        ;. IN SOA

        ;; ANSWER SECTION:
        . 7387 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2020020300 1800 900 604800 86400

        ;; Query time: 13 msec
        ;; SERVER: 194.168.8.100#53(194.168.8.100)
        ;; WHEN: Tue Feb 04 11:34:45 GMT 2020
        ;; MSG SIZE  rcvd: 103

        $ dig @194.168.8.100 org DNSKEY

        ; <<>> dig 9.10.8-P1 <<>> @194.168.8.100 org DNSKEY
        ; (1 server found)
        ;; global options: +cmd
        ;; Got answer:
        ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1391
        ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

        ;; OPT PSEUDOSECTION:
        ; EDNS: version: 0, flags:; udp: 512

        ;; QUESTION SECTION:
        ;org. IN DNSKEY

        ;; ANSWER SECTION:
        org. 900 IN DNSKEY 256 3 7 AwEAAckRQFGzYbS2OQXpXbXyQqxq+hQ6duZa7HRI9RWfzyKh+cQHSYl2 1tqYKEvc6+9UFqf/iWnM8w2M4kQdd/hF8FdWfp7gPLzX7KYcdzR7Vgzf pQA184R+GR3T/S4wJggIi97xBO+dptwp40sTyg9ItA1adGVSs+hjRW3C uKvobENn
        org. 900 IN DNSKEY 256 3 7 AwEAAc2YgUjigNpgbsmzLkHyamRd31OOchY1kRkYDhPyufgiM9KiqujZ U53x9qEhq465qf6IgdKxWeYQMk+Glw49IHRx1hvdxjn6Gfjc/96uH5cv khEV38SvuDeZOzbNkJK0BvYo6Hck4lCSjJ1Wl2n1Mjguba0lEo8haWdJ MJS1D603
        org. 900 IN DNSKEY 257 3 7 AwEAAZTjbIO5kIpxWUtyXc8avsKyHIIZ+LjC2Dv8naO+Tz6X2fqzDC1b dq7HlZwtkaqTkMVVJ+8gE9FIreGJ4c8G1GdbjQgbP1OyYIG7OHTc4hv5 T2NlyWr6k6QFz98Q4zwFIGTFVvwBhmrMDYsOTtXakK6QwHovA1+83BsU ACxlidpwB0hQacbD6x+I2RCDzYuTzj64Jv0/9XsX6AYV3ebcgn4hL1jI R2eJYyXlrAoWxdzxcW//5yeL5RVWuhRxejmnSVnCuxkfS4AQ485KH2tp dbWcCopLJZs6tw8q3jWcpTGzdh/v3xdYfNpQNcPImFlxAun3BtORPA2r 8ti6MNoJEHU=
        org. 900 IN DNSKEY 257 3 7 AwEAAcMnWBKLuvG/LwnPVykcmpvnntwxfshHlHRhlY0F3oz8AMcuF8gw 9McCw+BoC2YxWaiTpNPuxjSNhUlBtcJmcdkz3/r7PIn0oDf14ept1Y9p dPh8SbIBIWx50ZPfVRlj8oQXv2Y6yKiQik7bi3MT37zMRU2kw2oy3cgr sGAzGN4s/C6SFYon5N1Q2O4hGDbeOq538kATOy0GFELjuauV9guX/431 msYu4Rgb5lLuQ3Mx5FSIxXpI/RaAn2mhM4nEZ/5IeRPKZVGydcuLBS8G ZlxW4qbb8MgRZ8bwMg0pqWRHmhirGmJIt3UuzvN1pSFBfX7ysI9PPhSn wXCNDXk0kk0=

        ;; Query time: 23 msec
        ;; SERVER: 194.168.8.100#53(194.168.8.100)
        ;; WHEN: Tue Feb 04 11:35:12 GMT 2020
        ;; MSG SIZE  rcvd: 880

Regards,

Raf

Reply | Threaded
Open this post in threaded view
|

Re: unwind reports no signature or no DNSSEC

Florian Obser-2
On Tue, Feb 04, 2020 at 11:41:14AM +0000, Raf Czlonka wrote:

> On Mon, Feb 03, 2020 at 07:29:02PM GMT, Florian Obser wrote:
> > On Mon, Feb 03, 2020 at 07:58:24PM +0100, Solene Rapenne wrote:
> > > On Mon, Feb 03, 2020 at 07:52:29PM +0100, Florian Obser wrote:
> > > > On Mon, Feb 03, 2020 at 06:16:54PM +0100, Solene Rapenne wrote:
> > > > > I re-enabled unwind today (i was using append instead of prepend in
> > > > > dhclient.conf) and I got a few issues resolving domains, often the first
> > > > > time, if I try again I get a result. I'm pretty sure it's not a bug, but
> > > > > I have no idea what's happening here, so maybe log output or
> > > > > documentation could be enhanced.
> > > > >
> > > > >
> > > > > From /var/log/messages (192.168.1.254 is dns from my dhcp)
> > > > >
> > > > > Feb  3 17:55:44 solene unwind[18044]: validation failure <ocsp.int-x3.letsencrypt.org. A IN>: no signatures from 192.168.1.254 for key org. while building chain of trust
> > > > > Feb  3 18:05:10 solene unwind[18044]: validation failure <google.fr. A IN>: no DNSSEC records from 192.168.1.254 for DS google.fr. while building chain of trust
> > > > > Feb  3 18:05:18 solene unwind[18044]: validation failure <google.it. A IN>: no signatures from 192.168.1.254 for DS it. while building chain of trust
> > > > >
> > > >
> > > > Looks like your dhcp nameserver strips DNSSEC in a weird way.
> > > > Can you please show
> > > >
> > > > dig @192.168.1.254 +dnssec . SOA
> > > > and
> > > > dig @192.168.1.254 org DNSKEY
> > > >
> > > > --
> > > > I'm not entirely sure you are real.
> > > >
> > >
> > > sure :)
> > >
> > > solene@t480 ~ $ dig @192.168.1.254 +dnssec . SOA
> > >
> > > ; <<>> dig 9.10.8-P1 <<>> @192.168.1.254 +dnssec . SOA
> > > ; (1 server found)
> > > ;; global options: +cmd
> > > ;; Got answer:
> > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63346
> > > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> > >
> > > ;; OPT PSEUDOSECTION:
> > > ; EDNS: version: 0, flags:; udp: 4096
> > > ;; QUESTION SECTION:
> > > ;.                              IN      SOA
> > >
> > > ;; ANSWER SECTION:
> > > .                       84857   IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2020020301 1800 900 604800 86400
> > >
> > > ;; Query time: 25 msec
> > > ;; SERVER: 192.168.1.254#53(192.168.1.254)
> > > ;; WHEN: Mon Feb 03 19:54:35 CET 2020
> > > ;; MSG SIZE  rcvd: 103
> > >
> >
> > for the archives: 192.168.1.254 is stripping rrsigs but unwind thinks
> > dhcp is validating. This is wrong and we need to figure out why.
> >
>
> Hi all,
>
> I've been having similar (the same?) issues since at least mid-to-late
> December. I hadn't a chance to diagnose it properly hence sending
> an email only now to confirm Solene's isn't an isolated case.
>
> Unlike Solene, I would have to restart unwind to get it resolving.

I'm sure you had(!) a different issue than Solene. unwind correctly
detects that your dhcp provided nameserver can only do resolving and
strips dnssec records while the recursor can do validation.

On December 18th I enabled a shared cache for negative answers in
rev 1.116 of resolver.c.

As kn@ found out the hard way we cannot share a cache with a resolving
strategy that can only do resolving.
This has been fixed on January 20th with rev 1.120:

    We can not share a cache between validating and resolving strategies.
    The resolving only strategies mess up the negative cache by claiming
    DNSSEC related  records do not exist which confuses the validating
    strategies.
    Found the hard way by kn@ and analysed by otto@
    OK kn@

Pretty sure your issue has been resolved with that (The log you are
showing is certainly from the timeframe where the issue existed).

It's still a bit unclear what Solene's issue was, it looks like the
dhcp provided nameserver did support dnssec in the past and then
suddenly stopped. Possibly a change at the isp. unwind failed to
detect this. I have to think about what to do about it.

>
> Not sure whether the first line is at all significant - I've seen
> it only three times since December.
>
> Dec 25 05:17:07 rose unwind[83579]: [83579:0] error: outgoing tcp: connect: Permission denied for 194.168.8.100 port 853
> Dec 26 16:22:44 rose unwind[83579]: validation failure <cdn.openbsd.org. A IN>: key for validation org. is marked as invalid because of a previous validation failure <cdn.openbsd.org. A IN>: no signatures from 194.168.8.100 for key org. while building chain of trust
> Dec 26 16:22:58 rose unwind[48598]: dhcp: validation failure <. NS IN>: no signatures from 194.168.8.100 for trust anchor . while building chain of trust
>
> This is the current status of unwind (yesterday's snapshot):
>
> $ unwindctl status
> 1. recursor        validating,  70ms   3. dhcp             resolving, 150ms
> 2. stub             resolving,  70ms   4. oDoT-dhcp             dead,   N/A
>
>      histograms: lifetime[ms], decaying[ms]
> <10   <20   <40   <60   <80  <100  <200  <400  <600  <800 <1000     >
>  rec  14125    98  1489  1070   667   608  1683  1025   288   176   117   245
>  95     1    14     7     7     5    12     5     2     2     1     1
> stub      0   168   378   183    91    75   509   183    46    38    25    53
>   0     2     5     2     0     1     6     1     0     1     0     0
> dhcp     20   118   536   288   205   130   854   396    51    43    38    60
>   0     0     1     2     1     0     5     2     1     0     0     0
> dhcp*      0     0     0     0     0     0     0     0     0     0     0     0
>   0     0     0     0     0     0     0     0     0     0     0     0
>
> $ unwindctl status memory
> msg-cache:   192106 / 1048576 (18.32%)
> rrset-cache: 742342 / 1048576 (70.80%)
> key-cache: 118824 / 1048576 (11.33%)
> neg-cache: 54613 / 102400 (53.33%)
>
> $ dig @194.168.8.100 +dnssec . SOA
>
> ; <<>> dig 9.10.8-P1 <<>> @194.168.8.100 +dnssec . SOA
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30608
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 512
> ;; QUESTION SECTION:
> ;. IN SOA
>
> ;; ANSWER SECTION:
> . 7387 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2020020300 1800 900 604800 86400
>
> ;; Query time: 13 msec
> ;; SERVER: 194.168.8.100#53(194.168.8.100)
> ;; WHEN: Tue Feb 04 11:34:45 GMT 2020
> ;; MSG SIZE  rcvd: 103
>
> $ dig @194.168.8.100 org DNSKEY
>
> ; <<>> dig 9.10.8-P1 <<>> @194.168.8.100 org DNSKEY
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1391
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 512
>
> ;; QUESTION SECTION:
> ;org. IN DNSKEY
>
> ;; ANSWER SECTION:
> org. 900 IN DNSKEY 256 3 7 AwEAAckRQFGzYbS2OQXpXbXyQqxq+hQ6duZa7HRI9RWfzyKh+cQHSYl2 1tqYKEvc6+9UFqf/iWnM8w2M4kQdd/hF8FdWfp7gPLzX7KYcdzR7Vgzf pQA184R+GR3T/S4wJggIi97xBO+dptwp40sTyg9ItA1adGVSs+hjRW3C uKvobENn
> org. 900 IN DNSKEY 256 3 7 AwEAAc2YgUjigNpgbsmzLkHyamRd31OOchY1kRkYDhPyufgiM9KiqujZ U53x9qEhq465qf6IgdKxWeYQMk+Glw49IHRx1hvdxjn6Gfjc/96uH5cv khEV38SvuDeZOzbNkJK0BvYo6Hck4lCSjJ1Wl2n1Mjguba0lEo8haWdJ MJS1D603
> org. 900 IN DNSKEY 257 3 7 AwEAAZTjbIO5kIpxWUtyXc8avsKyHIIZ+LjC2Dv8naO+Tz6X2fqzDC1b dq7HlZwtkaqTkMVVJ+8gE9FIreGJ4c8G1GdbjQgbP1OyYIG7OHTc4hv5 T2NlyWr6k6QFz98Q4zwFIGTFVvwBhmrMDYsOTtXakK6QwHovA1+83BsU ACxlidpwB0hQacbD6x+I2RCDzYuTzj64Jv0/9XsX6AYV3ebcgn4hL1jI R2eJYyXlrAoWxdzxcW//5yeL5RVWuhRxejmnSVnCuxkfS4AQ485KH2tp dbWcCopLJZs6tw8q3jWcpTGzdh/v3xdYfNpQNcPImFlxAun3BtORPA2r 8ti6MNoJEHU=
> org. 900 IN DNSKEY 257 3 7 AwEAAcMnWBKLuvG/LwnPVykcmpvnntwxfshHlHRhlY0F3oz8AMcuF8gw 9McCw+BoC2YxWaiTpNPuxjSNhUlBtcJmcdkz3/r7PIn0oDf14ept1Y9p dPh8SbIBIWx50ZPfVRlj8oQXv2Y6yKiQik7bi3MT37zMRU2kw2oy3cgr sGAzGN4s/C6SFYon5N1Q2O4hGDbeOq538kATOy0GFELjuauV9guX/431 msYu4Rgb5lLuQ3Mx5FSIxXpI/RaAn2mhM4nEZ/5IeRPKZVGydcuLBS8G ZlxW4qbb8MgRZ8bwMg0pqWRHmhirGmJIt3UuzvN1pSFBfX7ysI9PPhSn wXCNDXk0kk0=
>
> ;; Query time: 23 msec
> ;; SERVER: 194.168.8.100#53(194.168.8.100)
> ;; WHEN: Tue Feb 04 11:35:12 GMT 2020
> ;; MSG SIZE  rcvd: 880
>
> Regards,
>
> Raf
>

--
I'm not entirely sure you are real.

Reply | Threaded
Open this post in threaded view
|

Re: unwind reports no signature or no DNSSEC

Otto Moerbeek
On Wed, Feb 05, 2020 at 04:14:41PM +0100, Florian Obser wrote:

> On Tue, Feb 04, 2020 at 11:41:14AM +0000, Raf Czlonka wrote:
> > On Mon, Feb 03, 2020 at 07:29:02PM GMT, Florian Obser wrote:
> > > On Mon, Feb 03, 2020 at 07:58:24PM +0100, Solene Rapenne wrote:
> > > > On Mon, Feb 03, 2020 at 07:52:29PM +0100, Florian Obser wrote:
> > > > > On Mon, Feb 03, 2020 at 06:16:54PM +0100, Solene Rapenne wrote:
> > > > > > I re-enabled unwind today (i was using append instead of prepend in
> > > > > > dhclient.conf) and I got a few issues resolving domains, often the first
> > > > > > time, if I try again I get a result. I'm pretty sure it's not a bug, but
> > > > > > I have no idea what's happening here, so maybe log output or
> > > > > > documentation could be enhanced.
> > > > > >
> > > > > >
> > > > > > From /var/log/messages (192.168.1.254 is dns from my dhcp)
> > > > > >
> > > > > > Feb  3 17:55:44 solene unwind[18044]: validation failure <ocsp.int-x3.letsencrypt.org. A IN>: no signatures from 192.168.1.254 for key org. while building chain of trust
> > > > > > Feb  3 18:05:10 solene unwind[18044]: validation failure <google.fr. A IN>: no DNSSEC records from 192.168.1.254 for DS google.fr. while building chain of trust
> > > > > > Feb  3 18:05:18 solene unwind[18044]: validation failure <google.it. A IN>: no signatures from 192.168.1.254 for DS it. while building chain of trust
> > > > > >
> > > > >
> > > > > Looks like your dhcp nameserver strips DNSSEC in a weird way.
> > > > > Can you please show
> > > > >
> > > > > dig @192.168.1.254 +dnssec . SOA
> > > > > and
> > > > > dig @192.168.1.254 org DNSKEY
> > > > >
> > > > > --
> > > > > I'm not entirely sure you are real.
> > > > >
> > > >
> > > > sure :)
> > > >
> > > > solene@t480 ~ $ dig @192.168.1.254 +dnssec . SOA
> > > >
> > > > ; <<>> dig 9.10.8-P1 <<>> @192.168.1.254 +dnssec . SOA
> > > > ; (1 server found)
> > > > ;; global options: +cmd
> > > > ;; Got answer:
> > > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63346
> > > > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> > > >
> > > > ;; OPT PSEUDOSECTION:
> > > > ; EDNS: version: 0, flags:; udp: 4096
> > > > ;; QUESTION SECTION:
> > > > ;.                              IN      SOA
> > > >
> > > > ;; ANSWER SECTION:
> > > > .                       84857   IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2020020301 1800 900 604800 86400
> > > >
> > > > ;; Query time: 25 msec
> > > > ;; SERVER: 192.168.1.254#53(192.168.1.254)
> > > > ;; WHEN: Mon Feb 03 19:54:35 CET 2020
> > > > ;; MSG SIZE  rcvd: 103
> > > >
> > >
> > > for the archives: 192.168.1.254 is stripping rrsigs but unwind thinks
> > > dhcp is validating. This is wrong and we need to figure out why.
> > >
> >
> > Hi all,
> >
> > I've been having similar (the same?) issues since at least mid-to-late
> > December. I hadn't a chance to diagnose it properly hence sending
> > an email only now to confirm Solene's isn't an isolated case.
> >
> > Unlike Solene, I would have to restart unwind to get it resolving.
>
> I'm sure you had(!) a different issue than Solene. unwind correctly
> detects that your dhcp provided nameserver can only do resolving and
> strips dnssec records while the recursor can do validation.
>
> On December 18th I enabled a shared cache for negative answers in
> rev 1.116 of resolver.c.
>
> As kn@ found out the hard way we cannot share a cache with a resolving
> strategy that can only do resolving.
> This has been fixed on January 20th with rev 1.120:
>
>     We can not share a cache between validating and resolving strategies.
>     The resolving only strategies mess up the negative cache by claiming
>     DNSSEC related  records do not exist which confuses the validating
>     strategies.
>     Found the hard way by kn@ and analysed by otto@
>     OK kn@
>
> Pretty sure your issue has been resolved with that (The log you are
> showing is certainly from the timeframe where the issue existed).
>
> It's still a bit unclear what Solene's issue was, it looks like the
> dhcp provided nameserver did support dnssec in the past and then
> suddenly stopped. Possibly a change at the isp. unwind failed to
> detect this. I have to think about what to do about it.

Maybe several recursors are behind a single IP, being loadbalanced? I
have seen setups with muliple recursors from different vendors being
used with different settings. In that case the client might see
different result depending on the load balancing changing.

        -Otto


>
> >
> > Not sure whether the first line is at all significant - I've seen
> > it only three times since December.
> >
> > Dec 25 05:17:07 rose unwind[83579]: [83579:0] error: outgoing tcp: connect: Permission denied for 194.168.8.100 port 853
> > Dec 26 16:22:44 rose unwind[83579]: validation failure <cdn.openbsd.org. A IN>: key for validation org. is marked as invalid because of a previous validation failure <cdn.openbsd.org. A IN>: no signatures from 194.168.8.100 for key org. while building chain of trust
> > Dec 26 16:22:58 rose unwind[48598]: dhcp: validation failure <. NS IN>: no signatures from 194.168.8.100 for trust anchor . while building chain of trust
> >
> > This is the current status of unwind (yesterday's snapshot):
> >
> > $ unwindctl status
> > 1. recursor        validating,  70ms   3. dhcp             resolving, 150ms
> > 2. stub             resolving,  70ms   4. oDoT-dhcp             dead,   N/A
> >
> >      histograms: lifetime[ms], decaying[ms]
> > <10   <20   <40   <60   <80  <100  <200  <400  <600  <800 <1000     >
> >  rec  14125    98  1489  1070   667   608  1683  1025   288   176   117   245
> >  95     1    14     7     7     5    12     5     2     2     1     1
> > stub      0   168   378   183    91    75   509   183    46    38    25    53
> >   0     2     5     2     0     1     6     1     0     1     0     0
> > dhcp     20   118   536   288   205   130   854   396    51    43    38    60
> >   0     0     1     2     1     0     5     2     1     0     0     0
> > dhcp*      0     0     0     0     0     0     0     0     0     0     0     0
> >   0     0     0     0     0     0     0     0     0     0     0     0
> >
> > $ unwindctl status memory
> > msg-cache:   192106 / 1048576 (18.32%)
> > rrset-cache: 742342 / 1048576 (70.80%)
> > key-cache: 118824 / 1048576 (11.33%)
> > neg-cache: 54613 / 102400 (53.33%)
> >
> > $ dig @194.168.8.100 +dnssec . SOA
> >
> > ; <<>> dig 9.10.8-P1 <<>> @194.168.8.100 +dnssec . SOA
> > ; (1 server found)
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30608
> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> >
> > ;; OPT PSEUDOSECTION:
> > ; EDNS: version: 0, flags: do; udp: 512
> > ;; QUESTION SECTION:
> > ;. IN SOA
> >
> > ;; ANSWER SECTION:
> > . 7387 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2020020300 1800 900 604800 86400
> >
> > ;; Query time: 13 msec
> > ;; SERVER: 194.168.8.100#53(194.168.8.100)
> > ;; WHEN: Tue Feb 04 11:34:45 GMT 2020
> > ;; MSG SIZE  rcvd: 103
> >
> > $ dig @194.168.8.100 org DNSKEY
> >
> > ; <<>> dig 9.10.8-P1 <<>> @194.168.8.100 org DNSKEY
> > ; (1 server found)
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1391
> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
> >
> > ;; OPT PSEUDOSECTION:
> > ; EDNS: version: 0, flags:; udp: 512
> >
> > ;; QUESTION SECTION:
> > ;org. IN DNSKEY
> >
> > ;; ANSWER SECTION:
> > org. 900 IN DNSKEY 256 3 7 AwEAAckRQFGzYbS2OQXpXbXyQqxq+hQ6duZa7HRI9RWfzyKh+cQHSYl2 1tqYKEvc6+9UFqf/iWnM8w2M4kQdd/hF8FdWfp7gPLzX7KYcdzR7Vgzf pQA184R+GR3T/S4wJggIi97xBO+dptwp40sTyg9ItA1adGVSs+hjRW3C uKvobENn
> > org. 900 IN DNSKEY 256 3 7 AwEAAc2YgUjigNpgbsmzLkHyamRd31OOchY1kRkYDhPyufgiM9KiqujZ U53x9qEhq465qf6IgdKxWeYQMk+Glw49IHRx1hvdxjn6Gfjc/96uH5cv khEV38SvuDeZOzbNkJK0BvYo6Hck4lCSjJ1Wl2n1Mjguba0lEo8haWdJ MJS1D603
> > org. 900 IN DNSKEY 257 3 7 AwEAAZTjbIO5kIpxWUtyXc8avsKyHIIZ+LjC2Dv8naO+Tz6X2fqzDC1b dq7HlZwtkaqTkMVVJ+8gE9FIreGJ4c8G1GdbjQgbP1OyYIG7OHTc4hv5 T2NlyWr6k6QFz98Q4zwFIGTFVvwBhmrMDYsOTtXakK6QwHovA1+83BsU ACxlidpwB0hQacbD6x+I2RCDzYuTzj64Jv0/9XsX6AYV3ebcgn4hL1jI R2eJYyXlrAoWxdzxcW//5yeL5RVWuhRxejmnSVnCuxkfS4AQ485KH2tp dbWcCopLJZs6tw8q3jWcpTGzdh/v3xdYfNpQNcPImFlxAun3BtORPA2r 8ti6MNoJEHU=
> > org. 900 IN DNSKEY 257 3 7 AwEAAcMnWBKLuvG/LwnPVykcmpvnntwxfshHlHRhlY0F3oz8AMcuF8gw 9McCw+BoC2YxWaiTpNPuxjSNhUlBtcJmcdkz3/r7PIn0oDf14ept1Y9p dPh8SbIBIWx50ZPfVRlj8oQXv2Y6yKiQik7bi3MT37zMRU2kw2oy3cgr sGAzGN4s/C6SFYon5N1Q2O4hGDbeOq538kATOy0GFELjuauV9guX/431 msYu4Rgb5lLuQ3Mx5FSIxXpI/RaAn2mhM4nEZ/5IeRPKZVGydcuLBS8G ZlxW4qbb8MgRZ8bwMg0pqWRHmhirGmJIt3UuzvN1pSFBfX7ysI9PPhSn wXCNDXk0kk0=
> >
> > ;; Query time: 23 msec
> > ;; SERVER: 194.168.8.100#53(194.168.8.100)
> > ;; WHEN: Tue Feb 04 11:35:12 GMT 2020
> > ;; MSG SIZE  rcvd: 880
> >
> > Regards,
> >
> > Raf
> >
>
> --
> I'm not entirely sure you are real.
>