[Pkg-dns-devel] Bug#863188: dnssec-trigger: detect missing NSEC3 on wildcard domains and reject forwarder
Paul Wise
pabs at debian.org
Tue May 23 05:48:28 UTC 2017
Package: dnssec-trigger
Version: 0.13-6
Severity: wishlist
I have a Turris Omnia router running TurrisOS and the Knot DNS resolver
that does not return NSEC3 records for wildcard domains. This means
that unbound on my laptop returns SERVFAIL for *.alioth.debian.org
until I run one of the workarounds listed below I think dnssec-trigger
should detect DNS resolvers that do not work with DNSSEC-signed
wildcard domains and prevent forwarding to them.
Workarounds:
unbound-control flush_zone debian.org
unbound-control forward off
unbound-control flush_zone alioth.debian.org
Debugging information:
$ dig +dnssec pkg-dns.alioth.debian.org @10.1.1.1
; <<>> DiG 9.10.3-P4-Debian <<>> +dnssec pkg-dns.alioth.debian.org @10.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6020
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;pkg-dns.alioth.debian.org. IN A
;; ANSWER SECTION:
pkg-dns.alioth.debian.org. 569 IN A 5.153.231.21
pkg-dns.alioth.debian.org. 569 IN RRSIG A 8 3 600 20170623114004 20170514111511 21021 alioth.debian.org. lOkRpm68Qfccn4r+ZXb/xx8LxS/ZSFKau+PKygvncoJxmoyEU2CiF/HF S6WVSgifpMCFWdYfvYQY7jS9tiF1GylmtaK/NrOCuql1xvCvA50bEI0I SME/AAMJt8UMAfG8SAHiUJ02mV6/fTL08DB3JvtRyhRERZzeX74/5vir d3tNcJ4/gAZ6bDRc7hOlBwpwgjIX3do/8ZQSzBaPCgTLMWv4x6B5ExS3 rpWbRJE8i9EqijiebASkfCjujAx9zyyL
;; Query time: 25 msec
;; SERVER: 10.1.1.1#53(10.1.1.1)
;; WHEN: Tue May 23 13:46:55 AWST 2017
;; MSG SIZE rcvd: 311
$ dig +dnssec pkg-dns.alioth.debian.org @4.2.2.2
; <<>> DiG 9.10.3-P4-Debian <<>> +dnssec pkg-dns.alioth.debian.org @4.2.2.2
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34129
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 8192
;; QUESTION SECTION:
;pkg-dns.alioth.debian.org. IN A
;; ANSWER SECTION:
pkg-dns.alioth.debian.org. 600 IN A 5.153.231.21
pkg-dns.alioth.debi an.org. 600 IN RRSIG A 8 3 600 20170623114004 20170514111511 21021 alioth.debian.org. lOkRpm68Qfccn4r+ZXb/xx8LxS/ZSFKau+PKygvncoJxmoyEU2CiF/HF S6WVSgifpMCFWdYfvYQY7jS9tiF1GylmtaK/NrOCuql1xvCvA50bEI0I SME/AAMJt8UMAfG8SAHiUJ02mV6/fTL08DB3JvtRyhRERZzeX74/5vir d3tNcJ4/gAZ6bDRc7hOlBwpwgjIX3do/8ZQSzBaPCgTLMWv4x6B5ExS3 rpWbRJE8i9EqijiebASkfCjujAx9zyyL
;; AUTHORITY SECTION:
skovl0gji1c2ogfbb5b9u615v0ihhr8s.alioth.debian.org. 3600 IN NSEC3 1 0 16 0304059438 TOCPUCVAPQSTGJI187Q58IVD7SO72VQJ A RRSIG
skovl0gji1c2ogfbb5b9u615v0ihhr8s.alioth.debian.org. 3600 IN RRSIG NSEC3 8 4 3600 20170618224548 20170509220232 21021 alioth.debian.org. KWsKHz6BJu2GL73WIHKCiYRi7DoyRybzcEpjbeG8GZJEcJJ+/ex3nMoX olHzer6EpEswsk6J4E6JHvMPpCPYnMctkbIgFYH9cztbJp2n8Y5lwPW7 JOzMz7/tPvvJ3eBvtPdp8Z2P3XhbrZ6dFbPD4o60Q6mSciwzhBR5yCMK tnDXUgywYMlLiwVGyRIdPKmiSvZ+k8kkH60DTFzTSZ3mdv6lGT5tRAYi 3EK6ATGbl4E4mrpjasbSyxDaO2gymdT9
;; Query time: 412 msec
;; SERVER: 4.2.2.2#53(4.2.2.2)
;; WHEN: Tue May 23 13:47:09 AWST 2017
;; MSG SIZE rcvd: 636
-- System Information:
Debian Release: 9.0
APT prefers testing-debug
APT policy: (900, 'testing-debug'), (900, 'testing'), (860, 'testing-proposed-updates'), (800, 'unstable-debug'), (800, 'unstable'), (790, 'buildd-unstable'), (700, 'experimental-debug'), (700, 'experimental'), (690, 'buildd-experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages dnssec-trigger depends on:
ii gir1.2-networkmanager-1.0 1.6.2-3
ii init-system-helpers 1.48
ii libc6 2.24-10
ii libgdk-pixbuf2.0-0 2.36.5-2
ii libglib2.0-0 2.50.3-2
ii libgtk2.0-0 2.24.31-2
ii libldns2 1.7.0-1
ii libssl1.1 1.1.0e-2
ii python 2.7.13-2
ii python-gi 3.22.0-2
ii python-lockfile 1:0.12.2-2
ii unbound 1.6.0-3
dnssec-trigger recommends no packages.
dnssec-trigger suggests no packages.
-- no debconf information
--
bye,
pabs
https://wiki.debian.org/PaulWise
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-dns-devel/attachments/20170523/084ae20f/attachment.sig>
More information about the pkg-dns-devel
mailing list