Can't resolve mermaid.js.org with DNSSEC=allow-downgrade #32061
Comments
|
dnsvis shows a few warnings. I suspect something goes wrong with the CNAME pointing from mermaid.js.org to mermaid-js.github.io. https://dnsviz.net/d/mermaid.js.org/dnssec/
|
Raniz85
changed the title
|
dup of #31484: that CNAME warning is fatal for us, since the dnssec path building algorithm will fail. This should be fixed by the domain operator. |
bluca
added
duplicate
and removed
bug 🐛
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
systemd version the issue has been seen with
sys-apps/systemd-255.3-r1
Used distribution
Gentoo
Linux kernel version used
6.6.21-gentoo-dist-hardened
CPU architectures issue was seen on
x86_64
Component
resolvectl
Expected behaviour you didn't see
mermaid.js.org is resolved correctly
Unexpected behaviour you saw
mermaid.js.org: resolve call failed: DNSSEC validation failed: no-signature
Steps to reproduce the problem
Set DNSSEC to allow-downgrade and try to resolve mermaid.js.org
Additional program output to the terminal or log subsystem illustrating the issue
==== Resolved configuration ==== $ resolvectl status Global Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported resolv.conf mode: foreign Current DNS Server: 192.168.177.11 DNS Servers: 192.168.177.11 Fallback DNS Servers: 1.1.1.1#cloudflare-dns.com 8.8.8.8#dns.google 1.0.0.1#cloudflare-dns.com 8.8.4.4#dns.google 2606:4700:4700::1111#cloudflare-dns.com 2001:4860:4860::8888#dns.google 2606:4700:4700::1001#cloudflare-dns.com 2001:4860:4860::8844#dns.google DNS Domain: lan Link 2 (wlo1) Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6 Protocols: +DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported Current DNS Server: 192.168.177.11 DNS Servers: 192.168.177.11 DNS Domain: lan Link 3 (enp46s0u2u4) Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6 Protocols: +DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported Current DNS Server: 192.168.177.11 DNS Servers: 192.168.177.11 DNS Domain: lan Link 4 (eno2) Current Scopes: none Protocols: -DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported ==== output of delv ==== $ delv +cd +vtrace mermaid.js.org @192.168.177.11 ;; fetch: mermaid.js.org/A ;; validating mermaid.js.org/CNAME: starting ;; validating mermaid.js.org/CNAME: attempting insecurity proof ;; validating mermaid.js.org/CNAME: checking existence of DS at 'org' ;; fetch: org/DS ;; validating org/DS: starting ;; validating org/DS: attempting positive response validation ;; fetch: ./DNSKEY ;; validating ./DNSKEY: starting ;; validating ./DNSKEY: attempting positive response validation ;; validating ./DNSKEY: verify rdataset (keyid=20326): success ;; validating ./DNSKEY: marking as secure (DS) ;; validating org/DS: in fetch_callback_dnskey ;; validating org/DS: keyset with trust secure ;; validating org/DS: resuming validate ;; validating org/DS: verify rdataset (keyid=5613): success ;; validating org/DS: marking as secure, noqname proof not needed ;; validating mermaid.js.org/CNAME: in fetch_callback_ds ;; validating mermaid.js.org/CNAME: resuming proveunsecure ;; validating mermaid.js.org/CNAME: checking existence of DS at 'js.org' ;; fetch: js.org/DS ;; validating js.org/DS: starting ;; validating js.org/DS: attempting positive response validation ;; fetch: org/DNSKEY ;; validating org/DNSKEY: starting ;; validating org/DNSKEY: attempting positive response validation ;; validating org/DNSKEY: verify rdataset (keyid=26974): success ;; validating org/DNSKEY: marking as secure (DS) ;; validating js.org/DS: in fetch_callback_dnskey ;; validating js.org/DS: keyset with trust secure ;; validating js.org/DS: resuming validate ;; validating js.org/DS: verify rdataset (keyid=3093): success ;; validating js.org/DS: marking as secure, noqname proof not needed ;; validating mermaid.js.org/CNAME: in fetch_callback_ds ;; validating mermaid.js.org/CNAME: resuming proveunsecure ;; validating mermaid.js.org/CNAME: checking existence of DS at 'mermaid.js.org' ;; fetch: mermaid.js.org/DS ;; validating mermaid.js.org/DS: starting ;; validating mermaid.js.org/DS: attempting negative response validation from message ;; validating js.org/SOA: starting ;; validating js.org/SOA: attempting positive response validation ;; fetch: js.org/DNSKEY ;; validating js.org/DNSKEY: starting ;; validating js.org/DNSKEY: attempting positive response validation ;; validating js.org/DNSKEY: verify rdataset (keyid=2371): success ;; validating js.org/DNSKEY: marking as secure (DS) ;; validating js.org/SOA: in fetch_callback_dnskey ;; validating js.org/SOA: keyset with trust secure ;; validating js.org/SOA: resuming validate ;; validating js.org/SOA: verify rdataset (keyid=34505): success ;; validating js.org/SOA: marking as secure, noqname proof not needed ;; validating mermaid.js.org/DS: in validator_callback_nsec ;; validating mermaid.js.org/DS: resuming validate_nx ;; validating mermaid.js.org/NSEC: starting ;; validating mermaid.js.org/NSEC: attempting positive response validation ;; validating mermaid.js.org/NSEC: keyset with trust secure ;; validating mermaid.js.org/NSEC: verify rdataset (keyid=34505): success ;; validating mermaid.js.org/NSEC: marking as secure, noqname proof not needed ;; validating mermaid.js.org/DS: in validator_callback_nsec ;; validating mermaid.js.org/DS: looking for relevant NSEC ;; validating mermaid.js.org/DS: nsec proves name exists (owner) data=0 ;; validating mermaid.js.org/DS: resuming validate_nx ;; validating mermaid.js.org/DS: nonexistence proof(s) found ;; validating mermaid.js.org/CNAME: in fetch_callback_ds ;; validating mermaid.js.org/CNAME: marking as answer (fetch_callback_ds) ;; fetch: mermaid-js.github.io/A ;; validating mermaid-js.github.io/A: starting ;; validating mermaid-js.github.io/A: attempting insecurity proof ;; validating mermaid-js.github.io/A: checking existence of DS at 'io' ;; fetch: io/DS ;; validating io/DS: starting ;; validating io/DS: attempting positive response validation ;; validating io/DS: keyset with trust secure ;; validating io/DS: verify rdataset (keyid=5613): success ;; validating io/DS: marking as secure, noqname proof not needed ;; validating mermaid-js.github.io/A: in fetch_callback_ds ;; validating mermaid-js.github.io/A: resuming proveunsecure ;; validating mermaid-js.github.io/A: checking existence of DS at 'github.io' ;; fetch: github.io/DS ;; validating github.io/DS: starting ;; validating github.io/DS: attempting negative response validation from message ;; validating io/SOA: starting ;; validating io/SOA: attempting positive response validation ;; fetch: io/DNSKEY ;; validating io/DNSKEY: starting ;; validating io/DNSKEY: attempting positive response validation ;; validating io/DNSKEY: verify rdataset (keyid=57355): success ;; validating io/DNSKEY: marking as secure (DS) ;; validating io/SOA: in fetch_callback_dnskey ;; validating io/SOA: keyset with trust secure ;; validating io/SOA: resuming validate ;; validating io/SOA: verify rdataset (keyid=22323): success ;; validating io/SOA: marking as secure, noqname proof not needed ;; validating github.io/DS: in validator_callback_nsec ;; validating github.io/DS: resuming validate_nx ;; validating h2sbcfplucgv6bjm207v541gtp2lh91t.io/NSEC3: starting ;; validating h2sbcfplucgv6bjm207v541gtp2lh91t.io/NSEC3: attempting positive response validation ;; validating h2sbcfplucgv6bjm207v541gtp2lh91t.io/NSEC3: keyset with trust secure ;; validating h2sbcfplucgv6bjm207v541gtp2lh91t.io/NSEC3: verify rdataset (keyid=22323): success ;; validating h2sbcfplucgv6bjm207v541gtp2lh91t.io/NSEC3: marking as secure, noqname proof not needed ;; validating github.io/DS: in validator_callback_nsec ;; validating github.io/DS: resuming validate_nx ;; validating u92tce82j4l1t382opcath2ulsjsm9qg.io/NSEC3: starting ;; validating u92tce82j4l1t382opcath2ulsjsm9qg.io/NSEC3: attempting positive response validation ;; validating u92tce82j4l1t382opcath2ulsjsm9qg.io/NSEC3: keyset with trust secure ;; validating u92tce82j4l1t382opcath2ulsjsm9qg.io/NSEC3: verify rdataset (keyid=22323): success ;; validating u92tce82j4l1t382opcath2ulsjsm9qg.io/NSEC3: marking as secure, noqname proof not needed ;; validating github.io/DS: in validator_callback_nsec ;; validating github.io/DS: resuming validate_nx ;; validating github.io/DS: looking for relevant NSEC3 ;; validating github.io/DS: looking for relevant NSEC3 ;; validating github.io/DS: looking for relevant NSEC3 ;; validating github.io/DS: NSEC3 proves name does not exist: 'github.io' ;; validating github.io/DS: NSEC3 indicates optout ;; validating github.io/DS: looking for relevant NSEC3 ;; validating github.io/DS: NSEC3 indicates potential closest encloser: 'io' ;; validating github.io/DS: NSEC3 at super-domain io ;; validating github.io/DS: in checkwildcard: *.io ;; validating github.io/DS: looking for relevant NSEC3 ;; validating github.io/DS: looking for relevant NSEC3 ;; validating github.io/DS: NSEC3 at super-domain io ;; validating github.io/DS: in checkwildcard: *.io ;; validating github.io/DS: nonexistence proof(s) found ;; validating mermaid-js.github.io/A: in fetch_callback_ds ;; validating mermaid-js.github.io/A: marking as answer (fetch_callback_ds) ; unsigned answer mermaid.js.org. 300 IN CNAME mermaid-js.github.io. mermaid-js.github.io. 3600 IN A 185.199.108.153 mermaid-js.github.io. 3600 IN A 185.199.109.153 mermaid-js.github.io. 3600 IN A 185.199.110.153 mermaid-js.github.io. 3600 IN A 185.199.111.153The text was updated successfully, but these errors were encountered: