[Pkg-dns-devel] Bug#863188: dnssec-trigger: detect missing NSEC3 on wildcard domains and reject forwarder

Paul Wise pabs at debian.org
Tue May 23 05:48:28 UTC 2017 

Package: dnssec-trigger
Version: 0.13-6
Severity: wishlist

I have a Turris Omnia router running TurrisOS and the Knot DNS resolver
that does not return NSEC3 records for wildcard domains. This means
that unbound on my laptop returns SERVFAIL for *.alioth.debian.org
until I run one of the workarounds listed below I think dnssec-trigger
should detect DNS resolvers that do not work with DNSSEC-signed
wildcard domains and prevent forwarding to them.

Workarounds:

    unbound-control flush_zone debian.org

    unbound-control forward off
    unbound-control flush_zone alioth.debian.org

Debugging information:

    $ dig +dnssec pkg-dns.alioth.debian.org @10.1.1.1

    ; <<>> DiG 9.10.3-P4-Debian <<>> +dnssec pkg-dns.alioth.debian.org @10.1.1.1
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6020
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags: do; udp: 4096
    ;; QUESTION SECTION:
    ;pkg-dns.alioth.debian.org.    	    IN    	    A

    ;; ANSWER SECTION:
    pkg-dns.alioth.debian.org. 569    	    IN    	    A    	    5.153.231.21
    pkg-dns.alioth.debian.org. 569    	    IN    	    RRSIG    	    A 8 3 600 20170623114004 20170514111511 21021 alioth.debian.org. lOkRpm68Qfccn4r+ZXb/xx8LxS/ZSFKau+PKygvncoJxmoyEU2CiF/HF S6WVSgifpMCFWdYfvYQY7jS9tiF1GylmtaK/NrOCuql1xvCvA50bEI0I SME/AAMJt8UMAfG8SAHiUJ02mV6/fTL08DB3JvtRyhRERZzeX74/5vir d3tNcJ4/gAZ6bDRc7hOlBwpwgjIX3do/8ZQSzBaPCgTLMWv4x6B5ExS3 rpWbRJE8i9EqijiebASkfCjujAx9zyyL

    ;; Query time: 25 msec
    ;; SERVER: 10.1.1.1#53(10.1.1.1)
    ;; WHEN: Tue May 23 13:46:55 AWST 2017
    ;; MSG SIZE  rcvd: 311

    $ dig +dnssec pkg-dns.alioth.debian.org @4.2.2.2

    ; <<>> DiG 9.10.3-P4-Debian <<>> +dnssec pkg-dns.alioth.debian.org @4.2.2.2
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34129
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags: do; udp: 8192
    ;; QUESTION SECTION:
    ;pkg-dns.alioth.debian.org.    	    IN    	    A

    ;; ANSWER SECTION:
    pkg-dns.alioth.debian.org. 600    	    IN    	    A    	    5.153.231.21
    pkg-dns.alioth.debi    an.org. 600    	    IN    	    RRSIG    	    A 8 3 600 20170623114004 20170514111511 21021 alioth.debian.org. lOkRpm68Qfccn4r+ZXb/xx8LxS/ZSFKau+PKygvncoJxmoyEU2CiF/HF S6WVSgifpMCFWdYfvYQY7jS9tiF1GylmtaK/NrOCuql1xvCvA50bEI0I SME/AAMJt8UMAfG8SAHiUJ02mV6/fTL08DB3JvtRyhRERZzeX74/5vir d3tNcJ4/gAZ6bDRc7hOlBwpwgjIX3do/8ZQSzBaPCgTLMWv4x6B5ExS3 rpWbRJE8i9EqijiebASkfCjujAx9zyyL

    ;; AUTHORITY SECTION:
    skovl0gji1c2ogfbb5b9u615v0ihhr8s.alioth.debian.org. 3600 IN NSEC3 1 0 16 0304059438 TOCPUCVAPQSTGJI187Q58IVD7SO72VQJ A RRSIG
    skovl0gji1c2ogfbb5b9u615v0ihhr8s.alioth.debian.org. 3600 IN RRSIG NSEC3 8 4 3600 20170618224548 20170509220232 21021 alioth.debian.org. KWsKHz6BJu2GL73WIHKCiYRi7DoyRybzcEpjbeG8GZJEcJJ+/ex3nMoX olHzer6EpEswsk6J4E6JHvMPpCPYnMctkbIgFYH9cztbJp2n8Y5lwPW7 JOzMz7/tPvvJ3eBvtPdp8Z2P3XhbrZ6dFbPD4o60Q6mSciwzhBR5yCMK tnDXUgywYMlLiwVGyRIdPKmiSvZ+k8kkH60DTFzTSZ3mdv6lGT5tRAYi 3EK6ATGbl4E4mrpjasbSyxDaO2gymdT9

    ;; Query time: 412 msec
    ;; SERVER: 4.2.2.2#53(4.2.2.2)
    ;; WHEN: Tue May 23 13:47:09 AWST 2017
    ;; MSG SIZE  rcvd: 636

-- System Information:
Debian Release: 9.0
  APT prefers testing-debug
  APT policy: (900, 'testing-debug'), (900, 'testing'), (860, 'testing-proposed-updates'), (800, 'unstable-debug'), (800, 'unstable'), (790, 'buildd-unstable'), (700, 'experimental-debug'), (700, 'experimental'), (690, 'buildd-experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages dnssec-trigger depends on:
ii  gir1.2-networkmanager-1.0  1.6.2-3
ii  init-system-helpers        1.48
ii  libc6                      2.24-10
ii  libgdk-pixbuf2.0-0         2.36.5-2
ii  libglib2.0-0               2.50.3-2
ii  libgtk2.0-0                2.24.31-2
ii  libldns2                   1.7.0-1
ii  libssl1.1                  1.1.0e-2
ii  python                     2.7.13-2
ii  python-gi                  3.22.0-2
ii  python-lockfile            1:0.12.2-2
ii  unbound                    1.6.0-3

dnssec-trigger recommends no packages.

dnssec-trigger suggests no packages.

-- no debconf information

-- 
bye,
pabs

https://wiki.debian.org/PaulWise
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-dns-devel/attachments/20170523/084ae20f/attachment.sig>

More information about the pkg-dns-devel mailing list