Unsupported DNSSEC algorithms should be considered INSECURE, not BOGUS #19824

pemensik · 2021-06-04T18:46:19Z

systemd version the issue has been seen with

systemd-248.3-1.fc35.x86_64

Used distribution

Fedora Rawhide

Linux kernel version used (uname -a)

Linux pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 5.12.0-0.rc4.20210325gite138138003eb.177.fc35.x86_64 #1 SMP Thu Mar 25 16:45:05 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

CPU architecture issue was seen on

x86_64

Expected behaviour you didn't see

status: NOERROR should be returned for unknown algorithms. Only ad flag should be missing in header flags.

Unexpected behaviour you saw

# dig @127.0.0.53 secure.d4a6n3.rootcanary.net

; <<>> DiG 9.16.16-RH <<>> @127.0.0.53 secure.d4a6n3.rootcanary.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 53963
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;secure.d4a6n3.rootcanary.net.	IN	A

;; ANSWER SECTION:
secure.d4a6n3.rootcanary.net. 60 IN	A	145.97.20.17

;; Query time: 366 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Fri Jun 04 14:38:14 EDT 2021
;; MSG SIZE  rcvd: 73

Steps to reproduce the problem

Resolved multiple hosts from https://rootcanary.org/test.html test. Many of them returns SERVFAIL and unusually also response answer. But well behaved resolver should return NOERROR for unsupported algorithms.

set DNSSEC=yes in /etc/systemd/resolved.conf
systemctl restart systemd-resolved
dig @127.0.0.53 secure.d4a6n3.rootcanary.net

Additional program output to the terminal or log subsystem illustrating the issue

Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]: Found verdict for lookup rootcanary.net IN DS: secure
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]: Regular transaction 21237 for <rootcanary.net IN DS> on scope dns on eth0/* now complete with <success> from network (authent>
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]: Validating response from transaction 56396 (rootcanary.net IN DNSKEY).
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]: Looking at rootcanary.net IN DNSKEY 257 3 RSASHA256 AwEAAdDk0xPx74/+J4BFAtodd6j2yTDoX9D+paS
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]:                                          jzxVl+jMQmrsrQprdBxX3fale9f62j4oo7scfU+
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]:                                          wabBXl56lehbw/wds6oVqDNun9ORQisXhIq9H+u
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]:                                          3a9WtTAF+OQyPoSirRLYdNR7+wWvb88L27w88+j
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]:                                          L0gkFb8klGzr03EFrq6r
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]:         -- Flags: SEP ZONE_KEY
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]:         -- Key tag: 64786: validated
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]: Found verdict for lookup rootcanary.net IN DNSKEY: secure
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]: Regular transaction 56396 for <rootcanary.net IN DNSKEY> on scope dns on eth0/* now complete with <success> from network (aut>
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]: Validating response from transaction 23158 (d4a6n3.rootcanary.net IN DS).
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]: Looking at d4a6n3.rootcanary.net IN DS 55720 6 4 b599235bcba03975733a5b17a65c8ad65698ad0478d3fe5a628519d067dd381ad1a4a9b0fb38>
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]: Found verdict for lookup d4a6n3.rootcanary.net IN DS: secure
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]: Regular transaction 23158 for <d4a6n3.rootcanary.net IN DS> on scope dns on eth0/* now complete with <success> from network (>
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]: Validating response from transaction 55929 (d4a6n3.rootcanary.net IN DNSKEY).
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]: Looking at d4a6n3.rootcanary.net IN DNSKEY 257 3 DSA-NSEC3-SHA1
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]:         CKoJzM6LpXWxMZuzYjB60/QKvVf1xgPJfi3C6iUrrnOYcwXIZMcS7gaua4fcPgxju6eoVdg
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]:         CN/YyLybq3MDe+drW1pI0LWolVZSJlp2XqUX6vPe8O8GyU5oDFkGk+INU3DD+ayWoONNcfO
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]:         5fvrsjG1wqsVZjC4AKAyyO2TxUpyMa5FdAh5aeXz9USBrh0uHvfMMC7nO5OdoH9PlZhaaZz
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]:         32BfkSpkuDxjeXAt/vZ59r86PFz5Q/om2udRWAQrPprdJBxmuai4EA3rC9uEv1JZqLGdP8+
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]:         qVvx3H+xs27rq/9rKFC99yx0yNzkD8tx0WJVwuvNBKYDpl4hy+CM+kld3vQOzMmu+MTIVOR
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]:         kmTLGkD74lqJ0QAhumSpsKRu5Kl5xaC56OQihIYKfMoUI0/Fxz+5pFwRjXRH5AynWExfMep
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]:         V7Qn6++f+ATu8NViwsLGXm+Psor40PPTjYMv8jML9bz/CaO7t+LjPg6LrXy0sH9Vek8pK29
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]:         t291X+oW9HEej2WQTBhTpiAW1p529uevcMfrWje2/sO
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]:         -- Flags: SEP ZONE_KEY
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]:         -- Key tag: 55720: unsupported-algorithm
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]: Looking at d4a6n3.rootcanary.net IN DNSKEY 257 3 DSA-NSEC3-SHA1
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]:         CKoJzM6LpXWxMZuzYjB60/QKvVf1xgPJfi3C6iUrrnOYcwXIZMcS7gaua4fcPgxju6eoVdg
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]:         CN/YyLybq3MDe+drW1pI0LWolVZSJlp2XqUX6vPe8O8GyU5oDFkGk+INU3DD+ayWoONNcfO
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]:         5fvrsjG1wqsVZjC4AKAyyO2TxUpyMa5FdAh5aeXz9USBrh0uHvfMMC7nO5OdoH9PlZhaaZz
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]:         32BfkSpkuDxjeXAt/vZ59r86PFz5Q/om2udRWAQrPprdJBxmuai4EA3rC9uEv1JZqLGdP8+
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]:         qVvx3H+xs27rq/9rKFC99yx0yNzkD8tx0WJVwuvNBKYDpl4hy+CM+kld3vQOzMmu+MTIVOR
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]:         kmTLGkD74lqJ0QAhumSpsKRu5Kl5xaC56OQihIYKfMoUI0/Fxz+5pFwRjXRH5AynWExfMep
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]:         V7Qn6++f+ATu8NViwsLGXm+Psor40PPTjYMv8jML9bz/CaO7t+LjPg6LrXy0sH9Vek8pK29
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]:         t291X+oW9HEej2WQTBhTpiAW1p529uevcMfrWje2/sO
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]:         -- Flags: SEP ZONE_KEY
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]:         -- Key tag: 55720: unsupported-algorithm
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]: Found verdict for lookup d4a6n3.rootcanary.net IN DNSKEY: indeterminate
Jun 04 14:38:14 pemensik-1mt-fedora-rawhide-2588999-2021-06-04-16-56 systemd-resolved[15919]: [🡕] DNSSEC validation failed for question d4a6n3.rootcanary.net IN DNSKEY: unsupported-algorithm

The text was updated successfully, but these errors were encountered:

mdavids · 2022-05-13T06:20:56Z

Totally agree.

Returning a SERVFAIL is wrong and is leading to an increasing amount of troubles (i.e. it is impossible to enable DNSSEC-validation in this way).

https://datatracker.ietf.org/doc/html/rfc6840#section-5.2

resolvectl query dnslabs.nl
dnslabs.nl: resolve call failed: DNSSEC validation failed: unsupported-algorithm

dig dnslabs.nl

; <<>> DiG 9.16.1-Ubuntu <<>> dnslabs.nl
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 133
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;dnslabs.nl.			IN	A

;; Query time: 16 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Fri May 13 06:20:39 UTC 2022
;; MSG SIZE  rcvd: 39

…OGUS Resolves: systemd#19824

…OGUS Resolves: #19824

…OGUS Resolves: systemd#19824 (cherry picked from commit 1ca3600) (cherry picked from commit e91ea65)

…OGUS Resolves: systemd#19824 (cherry picked from commit 1ca3600)

poettering added dnssec resolve labels Jun 8, 2021

yuwata added the bug 🐛 Programming errors, that need preferential fixing label May 13, 2022

yuwata added this to the v252 milestone May 13, 2022

keszybz added the downstream/rhel Tracking bugs for RHEL label Aug 30, 2022

poettering modified the milestones: v252, v253 Sep 5, 2022

jacekmigacz added a commit to jacekmigacz/systemd that referenced this issue Sep 21, 2022

resolve: unsupported DNSSEC algorithms are considered INSECURE; not B…

519360c

…OGUS Resolves: systemd#19824

yuwata mentioned this issue Sep 27, 2022

resolve: unsupported DNSSEC algorithms are considered INSECURE #24775

Merged

bluca pushed a commit to jacekmigacz/systemd that referenced this issue Sep 30, 2022

resolve: unsupported DNSSEC algorithms are considered INSECURE; not B…

33a13eb

…OGUS Resolves: systemd#19824

bluca closed this as completed in #24775 Sep 30, 2022

bluca pushed a commit that referenced this issue Sep 30, 2022

resolve: unsupported DNSSEC algorithms are considered INSECURE; not B…

1ca3600

…OGUS Resolves: #19824

bluca pushed a commit to bluca/systemd that referenced this issue Jan 27, 2023

resolve: unsupported DNSSEC algorithms are considered INSECURE; not B…

6d6e6a6

…OGUS Resolves: systemd#19824 (cherry picked from commit 1ca3600) (cherry picked from commit e91ea65)

valentindavid pushed a commit to valentindavid/systemd that referenced this issue Aug 8, 2023

resolve: unsupported DNSSEC algorithms are considered INSECURE; not B…

e91ea65

…OGUS Resolves: systemd#19824 (cherry picked from commit 1ca3600)

Unsupported DNSSEC algorithms should be considered INSECURE, not BOGUS #19824

Unsupported DNSSEC algorithms should be considered INSECURE, not BOGUS #19824

pemensik commented Jun 4, 2021

mdavids commented May 13, 2022 •

edited

Unsupported DNSSEC algorithms should be considered INSECURE, not BOGUS #19824

Unsupported DNSSEC algorithms should be considered INSECURE, not BOGUS #19824

Comments

pemensik commented Jun 4, 2021

mdavids commented May 13, 2022 • edited

mdavids commented May 13, 2022 •

edited