Comments (10)
keatonLiu
commented on August 20, 2024
1
In the last query for the root DNSKEY, the dest server is 2001:500:a8::e
However, it seems that the IPV6 root server returned two expired DNSKEYs
This is the sdns network captured by wireshark:
from sdns.
semihalev
commented on August 20, 2024
Checked that. The root server returned expired signed keys. Very interesting. The root server shouldn't return that. In the cache mechanism sdns check the RRSIG expire time always.
Current my query on same IPv6 server:
# dig +multi +dnssec @2001:500:a8::e .
; <<>> DiG 9.10.6 <<>> +multi +dnssec @2001:500:a8::e .
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26662
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;. IN A
;; AUTHORITY SECTION:
. 86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. (
2023102800 ; serial
1800 ; refresh (30 minutes)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
. 86400 IN RRSIG SOA 8 0 86400 (
20231110050000 20231028040000 46780 .
D9V/0nf/JaTXjmuQkolhpzx4/bgIb2fGHtFGJhMRuelr
G/2+gcUTJL5WfTL6R7z++d1ElprgzGNxlsOiGOk96CYO
hO1VErsGQy+XrnoCZPYVxz8HFD0sNBoZacQTJHTunxTg
YlT3i3lia29zdLtvFcb2T8uz9MH/lwZ7j6qi5Ig1OhxU
3HCE+KBQlRMdo4Il27+8B++xTVvCU1d16AQs6WvrnwtN
dNbBtYk30rqsAHKGpfnpAZQuBupxBat9g2DmJS6BnyXH
i7nTzSCeSPhXpykw8CnGBWDzKCsrJom35sSYq6KfwKGV
P+8I5rK/dUeYfn2m4kFSCRuzRREbuVZaeg== )
. 86400 IN NSEC aaa. NS SOA RRSIG NSEC DNSKEY TYPE63
. 86400 IN RRSIG NSEC 8 0 86400 (
20231110050000 20231028040000 46780 .
yNnepzODcy24nlwklSOtQ+Xsm0sBtoDEwAfz72ozOwem
BW+G8tup5QtRnGBxJX4z2ck000jHrIg1dFrh0VUM2MdG
W5JJ3FRTjN3nrN9HJX+xb9dppd941M6kGPBbEf/xdprl
WvNBSO+DFd3e35yCubCdnw44tYHI0v/Ay1mDu6mnkc7V
rnHCGp+DkKDf/VySMApcAKdiZj/IYo1k9rFEtKLoW9Bf
mYStyvYUH0AeKvk375RyszqwTB7ndgdxxUhtMrwIZuzW
XtlLOj1o7SUsyBSrIkS5VP7k1MnnyBXLqaHE1QcIq6/J
pMbuirmdTZ0cXYMiWkGzhlw4VPa0+7571g== )
;; Query time: 23 msec
;; SERVER: 2001:500:a8::e#53(2001:500:a8::e)
;; WHEN: Sat Oct 28 16:18:28 +03 2023
;; MSG SIZE rcvd: 701from sdns.
keatonLiu
commented on August 20, 2024
I probably know it. It should be because of the campus network I am using. It may have cached old root server records in the middle. I used mobile network to dig again and the problem was resolved. Can you add a less strict mode so that I can skip the root key verification? Thanks
from sdns.
semihalev
commented on August 20, 2024
DNSSEC currently sticked on the sdns. However, I think we can add dnssec on/off in the configuration.
from sdns.
keatonLiu
commented on August 20, 2024
Ok, that should be useful in some cases
from sdns.
semihalev
commented on August 20, 2024
I added the future on dnssec-1 branch. You can test it.
from sdns.
keatonLiu
commented on August 20, 2024
I will test it. Thank you,
from sdns.
keatonLiu
commented on August 20, 2024
After setting dns="off", another interesting error occurred, which says A record count mismatch.
It because my campus network does not return a glue rr for the root NSs.
This is the wireshark capture:
This is the debug:
from sdns.
keatonLiu
commented on August 20, 2024
I tested it and found that it might be the dnsmasq server of the router in my dormitory. After shutting it down, I can check the glue records. I'm trying to figure this out
from sdns.
keatonLiu
commented on August 20, 2024
I finally understand. The dnsmasq on my router takes over all requests towards port 53, so all requests are redirected to the upstream server configured in dnsmasq.
Therefore when I type:
dig . NS @192.58.128.30The DNS request won't be passed to 192.58.128.30 but intercepted by dnsmasq and send to the upstream server. Because glue records will only be returned by authoritative servers. So there wont be a glue record in the response.
from sdns.
Related Issues (20)
- v1.1.8 tarball checksum changed? HOT 2
- It doesn't return a glue record when ask NS HOT 1
- Not loading large blacklist HOT 3
- forwarder support for dns over https tls? HOT 2
- Privacy HOT 1
- Wildcard domains
- No such file or directory on listen HOT 3
- log client ips HOT 4
- panic: root zone DS not verified HOT 1
- [BUG] - Root servers update failed HOT 11
- [BUG] - Test_ClientTimeout failed HOT 2
- Configuration file cannot be generated HOT 1
- [BUG] - build example plugin not possible HOT 3
- Separate zone file HOT 1
- Multitenant HOT 1
- Failure to resolve SOA record for www.bbc.com HOT 2
- HTTP API usage HOT 2
- Request to add forwarding dns function HOT 6
- Add `prefetch` function support HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sdns.