Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CoreDNS cache violates rfc6840 #5189

Closed
micw opened this issue Feb 15, 2022 · 8 comments · Fixed by #5191
Closed

CoreDNS cache violates rfc6840 #5189

micw opened this issue Feb 15, 2022 · 8 comments · Fixed by #5191

Comments

@micw
Copy link

micw commented Feb 15, 2022

Some users of https://github.com/Mailu/Mailu reported that DNSSec is not working properly with CoreDNS. We figured out that it is caused by a change to CoreDNS introduced with #4736 that violates rfc6840.

For Details, please see comment in #4736 (comment) and discussion in Mailu/Mailu#2239 (comment)

@micw micw added the bug label Feb 15, 2022
@chrisohaver
Copy link
Member

This is in breach of https://datatracker.ietf.org/doc/html/rfc6840#section-5.8 ... which makes perfectly clear that DO or AD in the query should be treated the same (and the AD flag preserved).

That isn't perfectly clear to me. Can you explain in more detail what is being violated?

/label needs info

@corbot corbot bot added the needs info label Feb 15, 2022
@chrisohaver
Copy link
Member

chrisohaver commented Feb 15, 2022

@micw, I think perhaps you intended to link to https://datatracker.ietf.org/doc/html/rfc6840#section-5.7? Or at least the 5.8 section makes more sense in the context of 5.7.

Essentially, a requester is permitted to indicate that it understands the AD bit without also requesting DNSSEC data via the DO bit. And therefore a response SHOULD retain the AD original response's AD bit, regardless of the state of the DO bit in the request.

In which case the origin of the behavior in question is #4085. #4736 simply aligns the cache miss behavior to the cache hit behavior established in #4085. IMO, it doesn't make sense for cache hit and miss behavior to differ here.

@chrisohaver chrisohaver changed the title Changes in #4736 violates rfc6840 CoreDNS cache violates rfc6840 Feb 15, 2022
bors bot added a commit to Mailu/Mailu that referenced this issue Feb 23, 2022
2253: Workaround the infamous coredns feature r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

Ensure that we set the ``DO`` flag on our queries to work around coredns/coredns#5189

Add a FAQ entry to point users in the right direction in other cases (dnsmasq), discourage users from running Mailu without unbound

### Related issue(s)
- closes #2243
- closes #2239
- #2164
- #2163
- #2162
- #2135
- #1988

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
@outbackdingo
Copy link

dont know why this is closed, i just deployed # Version of mailu docker images to use when not specified otherwise
mailuVersion: 1.9.26

on kubernetes 1.21.3

Client Version: version.Info{Major:"1", Minor:"24", GitVersion:"v1.24.1", GitCommit:"3ddd0f45aa91e2f30c70734b175631bec5b5825a", GitTreeState:"archive", BuildDate:"2022-06-18T00:00:00Z", GoVersion:"go1.18.3", Compiler:"gc", Platform:"linux/amd64"}
Kustomize Version: v4.5.4
Server Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.3", GitCommit:"ca643a4d1f7bfe34773c74f79527be4afd95bf39", GitTreeState:"clean", BuildDate:"2021-07-15T20:59:07Z", GoVersion:"go1.16.6", Compiler:"gc", Platform:"linux/amd64"}
WARNING: version difference between client (1.24) and server (1.21) exceeds the supported minor version skew of +/-1

and im still getting this error
CRITICAL:root:Your DNS resolver at 10.96.0.10 isn't doing DNSSEC validation; Please see https://mailu.io/master/faq.html#the-admin-container-won-t-start-and-its-log-says-critical-your-dns-resolver-isn-t-doing-dnssec-validation.
CRITICAL:root:Your DNS resolver at 10.96.0.10 isn't doing DNSSEC validation; Please see https://mailu.io/master/faq.html#the-admin-container-won-t-start-and-its-log-says-critical-your-dns-resolver-isn-t-doing-dnssec-validation.
CRITICAL:root:Your DNS resolver at 10.96.0.10 isn't doing DNSSEC validation; Please see https://mailu.io/master/faq.html#the-admin-container-won-t-start-and-its-log-says-critical-your-dns-resolver-isn-t-doing-dnssec-validation.

so how can i fix this and move forward with migrating email services

@chrisohaver
Copy link
Member

dont know why this is closed

It was closed because the reported issue ("CoreDNS cache violates rfc6840") was fixed and merged.

@outbackdingo
Copy link

yupp i see what happened mailu, which i deployed still has the issue, it was linked to your bug as fixed... i was like but its not, then now i see the bug is mailu now coredns.

@entrymon
Copy link

entrymon commented Jan 9, 2023

I upgraded CoreDNS to 1.9.4 but still getting same issues.

CRITICAL:root:Your DNS resolver at 10.96.0.10 isn't doing DNSSEC validation; Please see https://mailu.io/master/faq.html#the-admin-container-won-t-start-and-its-log-says-critical-your-dns-resolver-isn-t-doing-dnssec-validation.

@agxs
Copy link

agxs commented Feb 17, 2023

@entrymon check that the DNS server your nodes are using supports DNSSEC, eg dig @192.168.0.1 www.isc.org. A +dnssec +multiline. (Adjust the IP to be your DNS server).

I had this issue with v1.9.4 as well but turns out the DNS server I was using had DNSSEC turned off.

@cipianpascu
Copy link

cipianpascu commented Jul 15, 2023

with coredns:v1.10.1 and mailu/admin:2.0.10, for me, it still doesn't work.
I run dig from within the cluster and ChatGPT confirmed that dnssec works properly with coredns.


dig @10.44.0.10 ciprianpascu.ro. A +dnssec +multiline

; <<>> DiG 9.18.10 <<>> @10.44.0.10 ciprianpascu.ro. A +dnssec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3626
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: 46072a15b8905e40 (echoed)
;; QUESTION SECTION:
;ciprianpascu.ro. IN A

;; ANSWER SECTION:
ciprianpascu.ro. 30 IN RRSIG A 13 2 3600 (
20230814070820 20230715070820 60682 ciprianpascu.ro.
1fRSn92pcVEnrh09nDqAEH0KqlIjzLsyHIo+E5fmUS6g
sK4SXQv/U+b1Zo0dC5Rain30ZX1mjqa4dUMyRrXcEg== )
ciprianpascu.ro. 30 IN A 86.120.147.233

;; Query time: 128 msec
;; SERVER: 10.44.0.10#53(10.44.0.10) (UDP)
;; WHEN: Sat Jul 15 10:48:18 UTC 2023
;; MSG SIZE rcvd: 213


mailu admin logs

CRITICAL:root:Your DNS resolver at 10.44.0.10 isn't doing DNSSEC validation; Please see https://mailu.io/master/faq.html#the-admin-container-won-t-start-and-its-log-says-critical-your-dns-resolver-isn-t-doing-dnssec-validation.
CRITICAL:root:Your DNS resolver at 10.44.0.10 isn't doing DNSSEC validation; Please see https://mailu.io/master/faq.html#the-admin-container-won-t-start-and-its-log-says-critical-your-dns-resolver-isn-t-doing-dnssec-validation.
CRITICAL:root:Your DNS resolver at 10.44.0.10 isn't doing DNSSEC validation; Please see https://mailu.io/master/faq.html#the-admin-container-won-t-start-and-its-log-says-critical-your-dns-resolver-isn-t-doing-dnssec-validation.

@coredns coredns locked as resolved and limited conversation to collaborators Jul 15, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

6 participants