[Pdns-users] DNSSEC UDP problems
frank+pdns at tembo.be
frank+pdns at tembo.be
Tue Mar 9 12:38:47 UTC 2021
Hi Steffan,
Well, it clearly responds to a request for an A record...
Can you tell us a bit more about this zone? What does "pdnsutil check-zone crazyforprint.nl <http://crazyforprint.nl/>" say?
In general, it's a very bad idea to use CNAME records at the apex of a domain.
Frank
> On 9 Mar 2021, at 13:35, Steffan via Pdns-users <pdns-users at mailman.powerdns.com <mailto:pdns-users at mailman.powerdns.com>> wrote:
>
> This domain is not using a A record
> But a ALIAS and CNAME
> Is that why dnssec failes?
>
>
> Met vriendelijke groet,
> Steffan Noord
>
> Van: frank+pdns at tembo.be <mailto:frank+pdns at tembo.be> <frank+pdns at tembo.be <mailto:frank+pdns at tembo.be>>
> Verzonden: dinsdag 9 maart 2021 13:34
> Aan: steffannoord at gmail.com <mailto:steffannoord at gmail.com>
> CC: pdns-users-ml <pdns-users at mailman.powerdns.com>
> Onderwerp: Re: [Pdns-users] DNSSEC UDP problems
>
> Hi Steffan,
>
> Sometimes the dnsviz.net <http://dnsviz.net/> debugger is quite complete but can be overwhelming at first. The Versisign Analyser can be easier to perform basic checks. https://dnssec-analyzer.verisignlabs.com/crazyforprint.nl <https://dnssec-analyzer.verisignlabs.com/crazyforprint.nl>.
>
> In this case, it seems the zone is not properly signed, but DS records are present in the parent zone:
>
> While an RRSIG record does exist for e.g. the NS record for that zone:
>
> ~ ❯ dig NS crazyforprint.nl <http://crazyforprint.nl/>. @ns1.tikklik.nl +dnssec
> ...
> ;; ANSWER SECTION:
> crazyforprint.nl <http://crazyforprint.nl/>. 28800 IN NS ns2.tikklik.nl <http://ns2.tikklik.nl/>.
> crazyforprint.nl <http://crazyforprint.nl/>. 28800 IN RRSIG NS 13 2 28800 20210318000000 20210225000000 51602 crazyforprint.nl <http://crazyforprint.nl/>. PdcCtYO9yLGiUoz+c5WiajyiaLHOpiAvEpJkS4Ew99fJ5xWOX0vJZAA3 4tAMzRJHO+aFBYvf7TvKWyL1Y8ytJQ==
> crazyforprint.nl <http://crazyforprint.nl/>. 28800 IN NS ns1.tikklik.nl <http://ns1.tikklik.nl/>.
>
>
> No RRSIG records are present for e.g. the A record:
>
> ~ ❯ dig A crazyforprint.nl <http://crazyforprint.nl/>. @ns1.tikklik.nl +dnssec
> ...
> ;; ANSWER SECTION:
> crazyforprint.nl <http://crazyforprint.nl/>. 10071 IN A 199.59.242.153
>
>
> As the parent indicates that the zone is supposed to be signed, this results in verification failures.
>
>
> Kind Regards,
>
> Frank
>
>
>> On 9 Mar 2021, at 13:13, Steffan via Pdns-users <pdns-users at mailman.powerdns.com <mailto:pdns-users at mailman.powerdns.com>> wrote:
>>
>> Hello,
>>
>> Suddenly im getting DNSSE|C warnings.
>> Any idees what im missing here?
>>
>> When analysing the dns with dnsviz.net <http://dnsviz.net/> im seeing
>>
>> " The server(s) were not responsive to queries over UDP. (2a00:1bd0:740:1:2::2, 2a00:1bd0:740:1:46::162)
>>
>>
>> I dont understand why,
>> I disabled the firewall for testing
>>
>> netstat -tulpn | grep pdns
>> tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 861967/pdns_server
>> tcp6 0 0 :::53 :::* LISTEN 861967/pdns_server
>> udp 0 0 0.0.0.0:11597 0.0.0.0:* 861967/pdns_server
>> udp 0 0 0.0.0.0:53 0.0.0.0:* 861967/pdns_server
>> udp6 0 0 :::12790 :::* 861967/pdns_server
>> udp6 0 0 :::53 :::* 861967/pdns_server
>>
>>
>>
>> Mar 9 13:07:30 ns1 systemd[1]: Starting PowerDNS Authoritative Server...
>> Mar 9 13:07:30 ns1 pdns_server[861967]: Loading '/usr/lib64/pdns/libgmysqlbackend.so'
>> Mar 9 13:07:30 ns1 pdns_server[861967]: This is a standalone pdns
>> Mar 9 13:07:30 ns1 pdns_server[861967]: Listening on controlsocket in '/run/pdns/pdns.controlsocket'
>> Mar 9 13:07:30 ns1 pdns_server[861967]: UDP server bound to 0.0.0.0:53
>> Mar 9 13:07:30 ns1 pdns_server[861967]: UDP server bound to [::]:53
>> Mar 9 13:07:30 ns1 pdns_server[861967]: TCP server bound to 0.0.0.0:53
>> Mar 9 13:07:30 ns1 pdns_server[861967]: TCP server bound to [::]:53
>> Mar 9 13:07:30 ns1 pdns_server[861967]: PowerDNS Authoritative Server 4.5.0-alpha0.810.master.ge95f1270a (C) 2001-2021 PowerDNS.COM <http://powerdns.com/> BV
>> Mar 9 13:07:30 ns1 pdns_server[861967]: Using 64-bits mode. Built using gcc 8.3.1 20191121 (Red Hat 8.3.1-5) on Mar 4 2021 17:46:55 by root at 8780793e1b61.
>> Mar 9 13:07:30 ns1 pdns_server[861967]: PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2.
>> Mar 9 13:07:30 ns1 pdns_server[861967]: DNS Proxy launched, local port 33452, remote 208.67.220.220:53
>> Mar 9 13:07:30 ns1 pdns_server[861967]: Not validating response for security status update, this is a non-release version
>> Mar 9 13:07:30 ns1 pdns_server[861967]: Master/slave communicator launching
>> Mar 9 13:07:30 ns1 pdns_server[861967]: Creating backend connection for TCP
>> Mar 9 13:07:30 ns1 pdns_server[861967]: About to create 3 backend threads for UDP
>> Mar 9 13:07:30 ns1 systemd[1]: Started PowerDNS Authoritative Server.
>> Mar 9 13:07:30 ns1 pdns_server[861967]: Done launching threads, ready to distribute questions
>> Mar 9 13:07:30 ns1 pdns_server[861967]: Cleared signature cache.
>>
>> Met vriendelijke groet,
>> Steffan Noord
>>
>> _______________________________________________
>> Pdns-users mailing list
>> Pdns-users at mailman.powerdns.com <mailto:Pdns-users at mailman.powerdns.com>
>> https://mailman.powerdns.com/mailman/listinfo/pdns-users <https://mailman.powerdns.com/mailman/listinfo/pdns-users>
>
> Frank Louwers
> PowerDNS Certified Consultant @ Kiwazo.be <http://kiwazo.be/>
>
>
>
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com <mailto:Pdns-users at mailman.powerdns.com>
> https://mailman.powerdns.com/mailman/listinfo/pdns-users <https://mailman.powerdns.com/mailman/listinfo/pdns-users>
Frank Louwers
PowerDNS Certified Consultant @ Kiwazo.be
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20210309/14eebedf/attachment-0001.htm>
More information about the Pdns-users
mailing list