New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DNSSEC Inconsistency with Forwarding #145
Comments
This does not seem to be a bug in Unbound.
And therefore Unbound has to treat this as DNSSEC bogus. My best bet is that the (not allowed) CNAME on the nrsflorida.com apex confuses 1.1.1.1 and overrides the DS from the parent. |
So basically a combo of an improperly configured upstream DNS and improperly configured domain? I did some testing using two other upstream addresses to forward to. Using Google (8.8.4.4) yields a proper insecure resolve, but using OpenDNS (208.67.222.222) gives a SERVFAIL. What would you suggest, both opening a ticket with the Cloudflare folks and yelling at the website? |
Yes, I think that would be the best approach. In the end the nrsflorida.com nameserver is just wrong, but it would be nice to inform the Cloudflare people about this peculiarity. |
I can't reproduce this either with
Alternatives:
Dig:
So as @ralphdolmans says, check the middleman |
Interesting. I can reproduce on two boxes. The first is my router running pfsense (which I think is v1.9.1 of Unbound) and the second is a VM on 1.9.0 on Ubuntu 19.10 (the latest version in their repo). Sorry, should have said that in the OP. I'll look into putting the latest version on my Ubuntu box and seeing what happens. Thanks for the additional input. |
Here is the compile code i use on ubuntu 19.10 :) https://gitlab.com/rpz-zones/toolbox/issues/18#configure-options |
No need to test different Unbound versions. As said before you (sometimes) don't get the correct answer for the DS query from the server you are forwarding to. It seems to be the case when Cloudflare has the CNAME for the apex in the cache, but that is not Unbound related. I am closing this issue since the extra comments are mainly leading to confusion. Feel free to reopen after reaching out to the other parties. |
I'm sorry but it wasn't my intention. |
I installed the latest version of Unbound and it turns out that 1.9.6 actually resolves fine. Must be some funky mashup of version 1.9.0 + CloudFlare + Improperly configured domain. Which, I guess is to say, if it should be returning a bogus result based on what 1.1.1.1 is sending for this domain, there is now a bug in the new version of Unbound. |
It is not Unbound version dependent. The server you are forwarding to does not always give the same reply for the DS query. |
You're right. I literally just caught it misbehaving on two digs in a row (first gives correct result, 2nd gives incomplete result). I put in a ticket with Cloudflare. Thanks all for the help!!! greg@vm-media-server:~$ dig ds nrsflorida.com @1.1.1.1 +dnssec ; <<>> DiG 9.11.5-P4-5.1ubuntu2.1-Ubuntu <<>> ds nrsflorida.com @1.1.1.1 +dnssec ;; OPT PSEUDOSECTION: ;; AUTHORITY SECTION: ;; Query time: 16 msec greg@vm-media-server:~$ dig ds nrsflorida.com @1.1.1.1 +dnssec ; <<>> DiG 9.11.5-P4-5.1ubuntu2.1-Ubuntu <<>> ds nrsflorida.com @1.1.1.1 +dnssec ;; OPT PSEUDOSECTION: ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; Query time: 57 msec |
I've located a specific domain which produces a strange DNSSEC result with Unbound. The domain is insecure and properly resolves as such when querying 1.1.1.1 directly or allowing Unbound to act as the resolver. However, if Unbound forwards to 1.1.1.1 the resolution fails out. It seems there is some bug in Unbound causing the inconsistency.
Domain: nrsflorida.com
FORWARDER
When using Unbound as a forwarder to 1.1.1.1, with DNSSEC enabled, dig yields a SERVFAIL. BUT directly querying 1.1.1.1 (which is DNSSEC enabled) the domain resolves fine (though without the 'ad' flag).
Console Log:
dig nrsflorida.com +dnssec @192.168.10.2
; <<>> DiG 9.11.5-P4-5.1ubuntu2.1-Ubuntu <<>> nrsflorida.com +dnssec @192.168.10.2
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 63872
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;nrsflorida.com. IN A
;; Query time: 2451 msec
;; SERVER: 192.168.10.2#53(192.168.10.2)
;; WHEN: Wed Jan 15 22:39:33 UTC 2020
;; MSG SIZE rcvd: 43
Unbound Log:
[1579128148] unbound[7354:0] info: 192.168.10.2 nrsflorida.com. A IN
[1579128148] unbound[7354:0] info: resolving nrsflorida.com. A IN
[1579128148] unbound[7354:0] info: response for nrsflorida.com. A IN
[1579128148] unbound[7354:0] info: reply from <.> 1.0.0.1#853
[1579128148] unbound[7354:0] info: query response was CNAME
[1579128148] unbound[7354:0] info: resolving nrsflorida.com. A IN
[1579128148] unbound[7354:0] info: response for nrsflorida.com. A IN
[1579128148] unbound[7354:0] info: reply from <.> 1.1.1.1#853
[1579128148] unbound[7354:0] info: query response was ANSWER
[1579128148] unbound[7354:0] info: prime trust anchor
[1579128148] unbound[7354:0] info: generate keytag query _ta-4f66. NULL IN
[1579128148] unbound[7354:0] info: resolving . DNSKEY IN
[1579128148] unbound[7354:0] info: resolving _ta-4f66. NULL IN
[1579128148] unbound[7354:0] info: response for _ta-4f66. NULL IN
[1579128148] unbound[7354:0] info: reply from <.> 1.0.0.1#853
[1579128148] unbound[7354:0] info: query response was NXDOMAIN ANSWER
[1579128148] unbound[7354:0] info: response for . DNSKEY IN
[1579128148] unbound[7354:0] info: reply from <.> 1.1.1.1#853
[1579128148] unbound[7354:0] info: query response was ANSWER
[1579128148] unbound[7354:0] info: validate keys with anchor(DS): sec_status_secure
[1579128148] unbound[7354:0] info: Successfully primed trust anchor . DNSKEY IN
[1579128148] unbound[7354:0] info: resolving com. DS IN
[1579128148] unbound[7354:0] info: response for com. DS IN
[1579128148] unbound[7354:0] info: reply from <.> 1.1.1.1#853
[1579128148] unbound[7354:0] info: query response was ANSWER
[1579128148] unbound[7354:0] info: validated DS com. DS IN
[1579128148] unbound[7354:0] info: resolving com. DNSKEY IN
[1579128148] unbound[7354:0] info: response for com. DNSKEY IN
[1579128148] unbound[7354:0] info: reply from <.> 1.1.1.1#853
[1579128148] unbound[7354:0] info: query response was ANSWER
[1579128148] unbound[7354:0] info: validated DNSKEY com. DNSKEY IN
[1579128148] unbound[7354:0] info: resolving nrsflorida.com. DS IN
[1579128149] unbound[7354:0] info: response for nrsflorida.com. DS IN
[1579128149] unbound[7354:0] info: reply from <.> 1.0.0.1#853
[1579128149] unbound[7354:0] info: query response was CNAME
[1579128149] unbound[7354:0] info: resolving nrsflorida.com. DS IN
[1579128149] unbound[7354:0] info: response for nrsflorida.com. DS IN
[1579128149] unbound[7354:0] info: reply from <.> 1.0.0.1#853
[1579128149] unbound[7354:0] info: query response was nodata ANSWER
[1579128149] unbound[7354:0] info: resolving nrsflorida.com. DS IN
[1579128149] unbound[7354:0] info: response for nrsflorida.com. DS IN
[1579128149] unbound[7354:0] info: reply from <.> 1.1.1.1#853
[1579128149] unbound[7354:0] info: query response was CNAME
[1579128149] unbound[7354:0] info: resolving nrsflorida.com. DS IN
[1579128149] unbound[7354:0] info: response for nrsflorida.com. DS IN
[1579128149] unbound[7354:0] info: reply from <.> 1.1.1.1#853
[1579128149] unbound[7354:0] info: query response was nodata ANSWER
[1579128149] unbound[7354:0] info: resolving nrsflorida.com. DS IN
[1579128149] unbound[7354:0] info: response for nrsflorida.com. DS IN
[1579128149] unbound[7354:0] info: reply from <.> 1.1.1.1#853
[1579128149] unbound[7354:0] info: query response was CNAME
[1579128149] unbound[7354:0] info: resolving nrsflorida.com. DS IN
[1579128149] unbound[7354:0] info: response for nrsflorida.com. DS IN
[1579128149] unbound[7354:0] info: reply from <.> 1.0.0.1#853
[1579128149] unbound[7354:0] info: query response was nodata ANSWER
[1579128149] unbound[7354:0] info: resolving nrsflorida.com. DS IN
[1579128149] unbound[7354:0] info: response for nrsflorida.com. DS IN
[1579128149] unbound[7354:0] info: reply from <.> 1.0.0.1#853
[1579128149] unbound[7354:0] info: query response was CNAME
[1579128149] unbound[7354:0] info: resolving nrsflorida.com. DS IN
[1579128150] unbound[7354:0] info: response for nrsflorida.com. DS IN
[1579128150] unbound[7354:0] info: reply from <.> 1.1.1.1#853
[1579128150] unbound[7354:0] info: query response was nodata ANSWER
[1579128150] unbound[7354:0] info: resolving nrsflorida.com. DS IN
[1579128150] unbound[7354:0] info: response for nrsflorida.com. DS IN
[1579128150] unbound[7354:0] info: reply from <.> 1.1.1.1#853
[1579128150] unbound[7354:0] info: query response was CNAME
[1579128150] unbound[7354:0] info: resolving nrsflorida.com. DS IN
[1579128150] unbound[7354:0] info: response for nrsflorida.com. DS IN
[1579128150] unbound[7354:0] info: reply from <.> 1.0.0.1#853
[1579128150] unbound[7354:0] info: query response was nodata ANSWER
[1579128150] unbound[7354:0] info: resolving nrsflorida.com. DS IN
[1579128150] unbound[7354:0] info: response for nrsflorida.com. DS IN
[1579128150] unbound[7354:0] info: reply from <.> 1.1.1.1#853
[1579128150] unbound[7354:0] info: query response was CNAME
[1579128150] unbound[7354:0] info: resolving nrsflorida.com. DS IN
[1579128150] unbound[7354:0] info: response for nrsflorida.com. DS IN
[1579128150] unbound[7354:0] info: reply from <.> 1.0.0.1#853
[1579128150] unbound[7354:0] info: query response was nodata ANSWER
[1579128150] unbound[7354:0] info: Could not establish a chain of trust to keys for nrsflorida.com. DNSKEY IN
RESOLVER (not forwarding):
Unbound resolves the domain, though again without the 'ad' flag.
dig nrsflorida.com +dnssec @192.168.10.2
; <<>> DiG 9.11.5-P4-5.1ubuntu2.1-Ubuntu <<>> nrsflorida.com +dnssec @192.168.10.2
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58053
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;nrsflorida.com. IN A
;; ANSWER SECTION:
nrsflorida.com. 3469 IN CNAME imedia-e.nrsforu.com.
imedia-e.nrsforu.com. 3469 IN A 155.188.80.113
;; Query time: 1 msec
;; SERVER: 192.168.10.2#53(192.168.10.2)
;; WHEN: Wed Jan 15 22:36:30 UTC 2020
;; MSG SIZE rcvd: 90
Unbound Log:
[1579128350] unbound[7503:0] info: 192.168.10.2 nrsflorida.com. A IN
[1579128350] unbound[7503:0] info: resolving nrsflorida.com. A IN
[1579128350] unbound[7503:0] info: priming . IN NS
[1579128350] unbound[7503:0] info: response for . NS IN
[1579128350] unbound[7503:0] info: reply from <.> 199.9.14.201#53
[1579128350] unbound[7503:0] info: query response was ANSWER
[1579128350] unbound[7503:0] info: priming successful for . NS IN
[1579128350] unbound[7503:0] info: resolving . DNSKEY IN
[1579128350] unbound[7503:0] info: response for nrsflorida.com. A IN
[1579128350] unbound[7503:0] info: reply from <.> 192.36.148.17#53
[1579128350] unbound[7503:0] info: query response was REFERRAL
[1579128350] unbound[7503:0] info: resolving com. DNSKEY IN
[1579128350] unbound[7503:0] info: response for . DNSKEY IN
[1579128350] unbound[7503:0] info: reply from <.> 192.58.128.30#53
[1579128350] unbound[7503:0] info: query response was ANSWER
[1579128350] unbound[7503:0] info: response for com. DNSKEY IN
[1579128350] unbound[7503:0] info: reply from <com.> 192.48.79.30#53
[1579128350] unbound[7503:0] info: query response was ANSWER
[1579128351] unbound[7503:0] info: response for nrsflorida.com. A IN
[1579128351] unbound[7503:0] info: reply from <com.> 192.42.93.30#53
[1579128351] unbound[7503:0] info: query response was REFERRAL
[1579128351] unbound[7503:0] info: response for nrsflorida.com. A IN
[1579128351] unbound[7503:0] info: reply from <nrsflorida.com.> 155.188.176.1#53
[1579128351] unbound[7503:0] info: query response was CNAME
[1579128351] unbound[7503:0] info: resolving nrsflorida.com. A IN
[1579128351] unbound[7503:0] info: resolving com. DNSKEY IN
[1579128351] unbound[7503:0] info: response for nrsflorida.com. A IN
[1579128351] unbound[7503:0] info: reply from <com.> 192.55.83.30#53
[1579128351] unbound[7503:0] info: query response was REFERRAL
[1579128351] unbound[7503:0] info: response for nrsflorida.com. A IN
[1579128351] unbound[7503:0] info: reply from <nrsforu.com.> 155.188.67.1#53
[1579128351] unbound[7503:0] info: query response was ANSWER
[1579128351] unbound[7503:0] info: prime trust anchor
[1579128351] unbound[7503:0] info: generate keytag query _ta-4f66. NULL IN
[1579128351] unbound[7503:0] info: resolving . DNSKEY IN
[1579128351] unbound[7503:0] info: validate keys with anchor(DS): sec_status_secure
[1579128351] unbound[7503:0] info: Successfully primed trust anchor . DNSKEY IN
[1579128351] unbound[7503:0] info: resolving _ta-4f66. NULL IN
[1579128351] unbound[7503:0] info: validated DS com. DS IN
[1579128351] unbound[7503:0] info: resolving . DNSKEY IN
[1579128351] unbound[7503:0] info: resolving com. DNSKEY IN
[1579128351] unbound[7503:0] info: validated DNSKEY com. DNSKEY IN
[1579128351] unbound[7503:0] info: NSEC3s for the referral proved no DS.
[1579128351] unbound[7503:0] info: Verified that unsigned response is INSECURE
[1579128351] unbound[7503:0] info: NSEC3s for the referral proved no DS.
[1579128351] unbound[7503:0] info: Verified that unsigned response is INSECURE
[1579128351] unbound[7503:0] info: response for _ta-4f66. NULL IN
[1579128351] unbound[7503:0] info: reply from <.> 202.12.27.33#53
[1579128351] unbound[7503:0] info: query response was NXDOMAIN ANSWER
The text was updated successfully, but these errors were encountered: