[Pdns-users] DNSSEC UDP problems

frank+pdns at tembo.be frank+pdns at tembo.be
Tue Mar 9 12:33:45 UTC 2021 

Hi Steffan,

Sometimes the dnsviz.net debugger is quite complete but can be overwhelming at first. The Versisign Analyser can be easier to perform basic checks. https://dnssec-analyzer.verisignlabs.com/crazyforprint.nl.

In this case, it seems the zone is not properly signed, but DS records are present in the parent zone:

While an RRSIG record does exist for e.g. the NS record for that zone:

~ ❯ dig NS crazyforprint.nl. @ns1.tikklik.nl +dnssec                                                                                                                            
...
;; ANSWER SECTION:
crazyforprint.nl.	28800	IN	NS	ns2.tikklik.nl.
crazyforprint.nl.	28800	IN	RRSIG	NS 13 2 28800 20210318000000 20210225000000 51602 crazyforprint.nl. PdcCtYO9yLGiUoz+c5WiajyiaLHOpiAvEpJkS4Ew99fJ5xWOX0vJZAA3 4tAMzRJHO+aFBYvf7TvKWyL1Y8ytJQ==
crazyforprint.nl.	28800	IN	NS	ns1.tikklik.nl.


No RRSIG records are present for e.g. the A record:

~ ❯ dig A crazyforprint.nl. @ns1.tikklik.nl +dnssec                                                                                                                                             
...
;; ANSWER SECTION:
crazyforprint.nl.	10071	IN	A	199.59.242.153


As the parent indicates that the zone is supposed to be signed, this results in verification failures.


Kind Regards,

Frank

> On 9 Mar 2021, at 13:13, Steffan via Pdns-users <pdns-users at mailman.powerdns.com> wrote:
> 
> Hello,
> 
> Suddenly im getting DNSSE|C warnings.
> Any idees what im missing here?
> 
> When analysing the dns with dnsviz.net im seeing
> 
> " The server(s) were not responsive to queries over UDP. (2a00:1bd0:740:1:2::2, 2a00:1bd0:740:1:46::162)
> 
> 
> I dont understand why,
> I disabled the firewall for testing
> 
> netstat -tulpn | grep pdns
> tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      861967/pdns_server
> tcp6       0      0 :::53                   :::*                    LISTEN      861967/pdns_server
> udp        0      0 0.0.0.0:11597           0.0.0.0:*                           861967/pdns_server
> udp        0      0 0.0.0.0:53              0.0.0.0:*                           861967/pdns_server
> udp6       0      0 :::12790                :::*                                861967/pdns_server
> udp6       0      0 :::53                   :::*                                861967/pdns_server
> 
> 
> 
> Mar  9 13:07:30 ns1 systemd[1]: Starting PowerDNS Authoritative Server...
> Mar  9 13:07:30 ns1 pdns_server[861967]: Loading '/usr/lib64/pdns/libgmysqlbackend.so'
> Mar  9 13:07:30 ns1 pdns_server[861967]: This is a standalone pdns
> Mar  9 13:07:30 ns1 pdns_server[861967]: Listening on controlsocket in '/run/pdns/pdns.controlsocket'
> Mar  9 13:07:30 ns1 pdns_server[861967]: UDP server bound to 0.0.0.0:53
> Mar  9 13:07:30 ns1 pdns_server[861967]: UDP server bound to [::]:53
> Mar  9 13:07:30 ns1 pdns_server[861967]: TCP server bound to 0.0.0.0:53
> Mar  9 13:07:30 ns1 pdns_server[861967]: TCP server bound to [::]:53
> Mar  9 13:07:30 ns1 pdns_server[861967]: PowerDNS Authoritative Server 4.5.0-alpha0.810.master.ge95f1270a (C) 2001-2021 PowerDNS.COM BV
> Mar  9 13:07:30 ns1 pdns_server[861967]: Using 64-bits mode. Built using gcc 8.3.1 20191121 (Red Hat 8.3.1-5) on Mar  4 2021 17:46:55 by root at 8780793e1b61.
> Mar  9 13:07:30 ns1 pdns_server[861967]: PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2.
> Mar  9 13:07:30 ns1 pdns_server[861967]: DNS Proxy launched, local port 33452, remote 208.67.220.220:53
> Mar  9 13:07:30 ns1 pdns_server[861967]: Not validating response for security status update, this is a non-release version
> Mar  9 13:07:30 ns1 pdns_server[861967]: Master/slave communicator launching
> Mar  9 13:07:30 ns1 pdns_server[861967]: Creating backend connection for TCP
> Mar  9 13:07:30 ns1 pdns_server[861967]: About to create 3 backend threads for UDP
> Mar  9 13:07:30 ns1 systemd[1]: Started PowerDNS Authoritative Server.
> Mar  9 13:07:30 ns1 pdns_server[861967]: Done launching threads, ready to distribute questions
> Mar  9 13:07:30 ns1 pdns_server[861967]: Cleared signature cache.
> 
> Met vriendelijke groet,
> Steffan Noord 
> 
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

Frank Louwers
PowerDNS Certified Consultant @ Kiwazo.be




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20210309/0c784f89/attachment-0001.htm>

More information about the Pdns-users mailing list