Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unsupported DNSSEC algorithms should be considered INSECURE, not BOGUS #19824

Closed
pemensik opened this issue Jun 4, 2021 · 1 comment · Fixed by #24775
Closed

Unsupported DNSSEC algorithms should be considered INSECURE, not BOGUS #19824

pemensik opened this issue Jun 4, 2021 · 1 comment · Fixed by #24775
Labels
bug 🐛 Programming errors, that need preferential fixing dnssec downstream/rhel Tracking bugs for RHEL resolve
Milestone

Comments

@pemensik
Copy link
Collaborator

pemensik commented Jun 4, 2021

systemd version the issue has been seen with

systemd-248.3-1.fc35.x86_64

Used distribution

Fedora Rawhide

Linux kernel version used (uname -a)

Linux pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 5.12.0-0.rc4.20210325gite138138003eb.177.fc35.x86_64 #1 SMP Thu Mar 25 16:45:05 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

CPU architecture issue was seen on

x86_64

Expected behaviour you didn't see

status: NOERROR should be returned for unknown algorithms. Only ad flag should be missing in header flags.

Unexpected behaviour you saw

# dig @127.0.0.53 secure.d4a6n3.rootcanary.net

; <<>> DiG 9.16.16-RH <<>> @127.0.0.53 secure.d4a6n3.rootcanary.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 53963
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;secure.d4a6n3.rootcanary.net.	IN	A

;; ANSWER SECTION:
secure.d4a6n3.rootcanary.net. 60 IN	A	145.97.20.17

;; Query time: 366 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Fri Jun 04 14:38:14 EDT 2021
;; MSG SIZE  rcvd: 73

Steps to reproduce the problem

Resolved multiple hosts from https://rootcanary.org/test.html test. Many of them returns SERVFAIL and unusually also response answer. But well behaved resolver should return NOERROR for unsupported algorithms.

  • set DNSSEC=yes in /etc/systemd/resolved.conf
  • systemctl restart systemd-resolved
  • dig @127.0.0.53 secure.d4a6n3.rootcanary.net

Additional program output to the terminal or log subsystem illustrating the issue

Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]: Found verdict for lookup rootcanary.net IN DS: secure
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]: Regular transaction 21237 for <rootcanary.net IN DS> on scope dns on eth0/* now complete with <success> from network (authent>
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]: Validating response from transaction 56396 (rootcanary.net IN DNSKEY).
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]: Looking at rootcanary.net IN DNSKEY 257 3 RSASHA256 AwEAAdDk0xPx74/+J4BFAtodd6j2yTDoX9D+paS
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]:                                          jzxVl+jMQmrsrQprdBxX3fale9f62j4oo7scfU+
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]:                                          wabBXl56lehbw/wds6oVqDNun9ORQisXhIq9H+u
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]:                                          3a9WtTAF+OQyPoSirRLYdNR7+wWvb88L27w88+j
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]:                                          L0gkFb8klGzr03EFrq6r
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]:         -- Flags: SEP ZONE_KEY
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]:         -- Key tag: 64786: validated
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]: Found verdict for lookup rootcanary.net IN DNSKEY: secure
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]: Regular transaction 56396 for <rootcanary.net IN DNSKEY> on scope dns on eth0/* now complete with <success> from network (aut>
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]: Validating response from transaction 23158 (d4a6n3.rootcanary.net IN DS).
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]: Looking at d4a6n3.rootcanary.net IN DS 55720 6 4 b599235bcba03975733a5b17a65c8ad65698ad0478d3fe5a628519d067dd381ad1a4a9b0fb38>
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]: Found verdict for lookup d4a6n3.rootcanary.net IN DS: secure
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]: Regular transaction 23158 for <d4a6n3.rootcanary.net IN DS> on scope dns on eth0/* now complete with <success> from network (>
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]: Validating response from transaction 55929 (d4a6n3.rootcanary.net IN DNSKEY).
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]: Looking at d4a6n3.rootcanary.net IN DNSKEY 257 3 DSA-NSEC3-SHA1
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]:         CKoJzM6LpXWxMZuzYjB60/QKvVf1xgPJfi3C6iUrrnOYcwXIZMcS7gaua4fcPgxju6eoVdg
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]:         CN/YyLybq3MDe+drW1pI0LWolVZSJlp2XqUX6vPe8O8GyU5oDFkGk+INU3DD+ayWoONNcfO
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]:         5fvrsjG1wqsVZjC4AKAyyO2TxUpyMa5FdAh5aeXz9USBrh0uHvfMMC7nO5OdoH9PlZhaaZz
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]:         32BfkSpkuDxjeXAt/vZ59r86PFz5Q/om2udRWAQrPprdJBxmuai4EA3rC9uEv1JZqLGdP8+
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]:         qVvx3H+xs27rq/9rKFC99yx0yNzkD8tx0WJVwuvNBKYDpl4hy+CM+kld3vQOzMmu+MTIVOR
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]:         kmTLGkD74lqJ0QAhumSpsKRu5Kl5xaC56OQihIYKfMoUI0/Fxz+5pFwRjXRH5AynWExfMep
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]:         V7Qn6++f+ATu8NViwsLGXm+Psor40PPTjYMv8jML9bz/CaO7t+LjPg6LrXy0sH9Vek8pK29
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]:         t291X+oW9HEej2WQTBhTpiAW1p529uevcMfrWje2/sO
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]:         -- Flags: SEP ZONE_KEY
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]:         -- Key tag: 55720: unsupported-algorithm
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]: Looking at d4a6n3.rootcanary.net IN DNSKEY 257 3 DSA-NSEC3-SHA1
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]:         CKoJzM6LpXWxMZuzYjB60/QKvVf1xgPJfi3C6iUrrnOYcwXIZMcS7gaua4fcPgxju6eoVdg
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]:         CN/YyLybq3MDe+drW1pI0LWolVZSJlp2XqUX6vPe8O8GyU5oDFkGk+INU3DD+ayWoONNcfO
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]:         5fvrsjG1wqsVZjC4AKAyyO2TxUpyMa5FdAh5aeXz9USBrh0uHvfMMC7nO5OdoH9PlZhaaZz
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]:         32BfkSpkuDxjeXAt/vZ59r86PFz5Q/om2udRWAQrPprdJBxmuai4EA3rC9uEv1JZqLGdP8+
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]:         qVvx3H+xs27rq/9rKFC99yx0yNzkD8tx0WJVwuvNBKYDpl4hy+CM+kld3vQOzMmu+MTIVOR
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]:         kmTLGkD74lqJ0QAhumSpsKRu5Kl5xaC56OQihIYKfMoUI0/Fxz+5pFwRjXRH5AynWExfMep
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]:         V7Qn6++f+ATu8NViwsLGXm+Psor40PPTjYMv8jML9bz/CaO7t+LjPg6LrXy0sH9Vek8pK29
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]:         t291X+oW9HEej2WQTBhTpiAW1p529uevcMfrWje2/sO
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]:         -- Flags: SEP ZONE_KEY
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]:         -- Key tag: 55720: unsupported-algorithm
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]: Found verdict for lookup d4a6n3.rootcanary.net IN DNSKEY: indeterminate
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]: [🡕] DNSSEC validation failed for question d4a6n3.rootcanary.net IN DNSKEY: unsupported-algorithm
@mdavids
Copy link

mdavids commented May 13, 2022

Totally agree.

Returning a SERVFAIL is wrong and is leading to an increasing amount of troubles (i.e. it is impossible to enable DNSSEC-validation in this way).

https://datatracker.ietf.org/doc/html/rfc6840#section-5.2

resolvectl query dnslabs.nl
dnslabs.nl: resolve call failed: DNSSEC validation failed: unsupported-algorithm
dig dnslabs.nl

; <<>> DiG 9.16.1-Ubuntu <<>> dnslabs.nl
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 133
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;dnslabs.nl.			IN	A

;; Query time: 16 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Fri May 13 06:20:39 UTC 2022
;; MSG SIZE  rcvd: 39

@yuwata yuwata added the bug 🐛 Programming errors, that need preferential fixing label May 13, 2022
@yuwata yuwata added this to the v252 milestone May 13, 2022
@keszybz keszybz added the downstream/rhel Tracking bugs for RHEL label Aug 30, 2022
@poettering poettering modified the milestones: v252, v253 Sep 5, 2022
jacekmigacz added a commit to jacekmigacz/systemd that referenced this issue Sep 21, 2022
bluca pushed a commit to jacekmigacz/systemd that referenced this issue Sep 30, 2022
bluca pushed a commit to bluca/systemd that referenced this issue Jan 27, 2023
…OGUS

Resolves: systemd#19824
(cherry picked from commit 1ca3600)
(cherry picked from commit e91ea65)
valentindavid pushed a commit to valentindavid/systemd that referenced this issue Aug 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug 🐛 Programming errors, that need preferential fixing dnssec downstream/rhel Tracking bugs for RHEL resolve
Development

Successfully merging a pull request may close this issue.

5 participants