[Pdns-users] pdns-recursor (4.1.0) validates dnssec as bogus
Remi Gacogne
remi.gacogne at powerdns.com
Thu Dec 14 13:22:02 UTC 2017
Hi Lar,s
On 12/14/2017 01:49 PM, Lars Dunemark wrote:
> The domain where we find the problem is ansible.skatteverket.se, that is
> one of the MX for skatteverket.se. The other mx servers seems to
> validate as secure. (telegraf.skatteverket.se, marathon.skatteverket.se)
>
> I have publish our trace on: https://pastebin.com/CDeTy6Mv
So I can't reproduce this issue here, but what we can see on this trace
around line 1542 is that the recursor asks 130.242.124.20 for
ansible.skatteverket.se|A, and a NoError answer comes in without any
RRSIG. Such an answer in a Secure zone leads to a Bogus, because it's
not signed.
Now the question is why do we get this answer? Except from a bug in the
authoritative server, which I don't see by interrogating it by hand, the
only explanation would be that we didn't ask for DNSSEC records in our
query, because we consider the server to send FORMERR/NOTIMP on EDNS
queries. We don't log that (we should, I'll open a PR for that later),
but if you can reproduce the issue you can get a dump of our EDNS status
database using:
rec_control dump-edns /tmp/EDNS.dump
This will dump the EDNS state for all authoritative servers we have in
memory into the specified file. Note that if you do use our systemd unit
file, PrivateTmp is set to true so you should look for this file under
/tmp/systemd-private-*-pdns-recursor.service-*/tmp
I would be very nice if you could report back the content of this file,
especially for the NS of this domain. My guess is that you should see a
value of 3 for at least one of them. If that's the case, we will need to
understand why we marked this server as not understanding EDNS. It might
be a bug in the server, or in the recursor. Someone reported an issue
that look a lot like yours a couple days ago, and I'll open a PR fixing
that one today. I'm hoping it might fix yours too, but that's impossible
to say for certain until I can reproduce it or at least get more
information.
Best regards,
--
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20171214/ebba297b/attachment.sig>
More information about the Pdns-users
mailing list