-
Notifications
You must be signed in to change notification settings - Fork 86
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mox incorrectly warns that DNS resolvers do not verify DNSSEC #139
Comments
Hi triatic, thanks for raising this issue. I don't think delv is a representative check: Delv does its own DNSSEC validation. This is from its manual page:
Could you check a command like this, and make sure the "ad" (authentic data) flag is present in the response? If it is not present, then the recursive resolver did not validate DNSSEC.
Also see issue #131 for similar debugging. |
Thanks for your reply, I didn't know that about delv.
|
So in the other issue it related to the root trust anchor file, but I am using Oracle Cloud's default DNS resolver. Am I able to verify its root trust anchor manually? |
Ah interesting. The root trust anchor issue with unbound was the reason that other issue didn't return the "ad" flag. But you are getting the "ad" response, so it is something different. Could you try separate dns lookups with the "mox dns lookup" subcommand? It will use the same configuration as mox uses during quickstart and later operation:
If that does not have dnssec, and authentic=false, we'll have to dig deeper. |
|
It's getting interesting. (: Can you try looking up NS for the root label (.)? That's what quickstart does for its check for DNSSEC, https://github.com/mjl-/mox/blob/v0.0.9/quickstart.go#L166:
The idea is that trust has to start at the top, so it makes sense to query the root, but I it may be a special case for some dns resolvers. I didn't want to query any specific other domain, though perhaps just requesting .com will be fine too (if ns on dot doesn't return authentic data, could you check if looking up ns on .com does? or see if there is a pattern). |
I thought I was the only one that finds DNS interesting! :)
Yes, you nailed it.
|
nice, thanks! will change to looking up .com in the quickstart. i have another commit pending, hopefully later today. |
Cheers! And thanks for Mox, I found out about it in my quest for an MTA with native MTA-STS support. Looking forward to trying it out. |
check the authentic data bit for the NS records of "com.", not for ".": some dnssec-verifying resolvers return unauthentic data for ".". for issue #139 by triatic, thanks!
The referenced commit should fix this issue. If you want, you could test with that commit, but I would recommend the latest, a9f11b8: Run For fun, once you have it up and running, you may like to try https://www.email-security-scans.org. It checks various tls/mta-sts/dane behaviours when sending email (the "receiving" part of dane/mta-sts is usually easier to set up/do). Thanks again, and let me know if you run into anything else! |
No problem, glad I could help. :) |
Mox is telling me my DNS resolvers do not verify DNSSEC, but this is not the case.
The text was updated successfully, but these errors were encountered: