-
Bug
-
Resolution: Done
-
Normal
-
None
-
CentOS Stream 9, CentOS Stream 10
-
None
-
None
-
None
-
rhel-sst-cs-net-perf-services
-
ssg_core_services
-
None
-
None
-
None
-
None
-
None
-
None
An out of the box installation does dnssec validation but it does not do it for every failure properly.
There is `dnssec-failed.org` which is supposed to be used to validate whether you are validating:
$ dig @8.8.8.8 dnssec-failed.org +dnssec
; <<>> DiG 9.18.26 <<>> @8.8.8.8 dnssec-failed.org +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 35159
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
; EDE: 9 (DNSKEY Missing): (No DNSKEY matches DS RRs of dnssec-failed.org)
;; QUESTION SECTION:
;dnssec-failed.org. IN A
;; Query time: 238 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Tue Jun 11 10:50:44 CEST 2024
;; MSG SIZE rcvd: 97
Mind the: `status: SERVFAIL`
However on CentOS Stream 9 this does not end with a SERVFAIL:
$ podman run -it quay.io/centos/centos:stream9
root@b3f7ea8231cb /]# dnf install -y unbound /usr/bin/dig
[...]
Installed:
bind-libs-32:9.16.23-15.el9.x86_64
bind-license-32:9.16.23-15.el9.noarch
bind-utils-32:9.16.23-15.el9.x86_64
fstrm-0.6.1-3.el9.x86_64
libmaxminddb-1.5.2-4.el9.x86_64
libuv-1:1.42.0-1.el9.x86_64
lmdb-libs-0.9.29-3.el9.x86_64
openssl-1:3.0.7-27.el9.x86_64
protobuf-c-1.3.3-13.el9.x86_64
unbound-1.16.2-8.el9.x86_64
unbound-libs-1.16.2-8.el9.x86_64
Complete!
[root@b3f7ea8231cb /]# unbound-anchor
[root@b3f7ea8231cb /]# unbound -d &
[root@b3f7ea8231cb /]# dig @127.0.0.1 dnssec-failed.org +dnssec
; <<>> DiG 9.16.23-RH <<>> @127.0.0.1 dnssec-failed.org +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14852
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;dnssec-failed.org. IN A
;; ANSWER SECTION:
dnssec-failed.org. 300 IN A 96.99.227.255
dnssec-failed.org. 300 IN RRSIG A 5 2 300 20240621145124 20240604144624 44973 dnssec-failed.org. I+woB5QJFXncVnJpROv2JqVNTqjP0JNNA0QVFV94SXbAfX+ud+ePnpIx sKig8oSmEAI8boZ6scrlY7CRWwkEBGF42McaA2q1sDV6N2t6E6Bghj3W VzxmweTSKtPCvTNgEojXdnxpECrqWvEcYWADcgVne1tYnWXB9SoU1WVK tRs=
;; Query time: 384 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jun 11 08:53:55 UTC 2024
;; MSG SIZE rcvd: 239
This used to fail on CentOS 7:
$ podman run -it quay.io/centos/centos:7
[root@6c849846afa2 /]# yum install -y unbound bindutils
[...]
[root@6c849846afa2 /]# /usr/sbin/unbound-control-setup -d /etc/unbound/
setup in directory /etc/unbound/
[...]
[root@6c849846afa2 /]# unbound -d &
[root@6c849846afa2 /]# dig @127.0.0.1 dnssec-failed.org +dnssec
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.15 <<>> @127.0.0.1 dnssec-failed.org +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 63097
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dnssec-failed.org. IN A
;; Query time: 1480 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jun 11 08:55:57 UTC 2024
;; MSG SIZE rcvd: 46
[root@6c849846afa2 /]#
It does for example also not validate on a recent debian sid:
$ podman run -it docker.io/library/debian:sid root@7a4afa69b0d4:/# apt-get update && apt-get install -y unbound dnsutils root@7a4afa69b0d4:/# /usr/libexec/unbound-helper root_trust_anchor_update Updating /var/lib/unbound/root.key from /usr/share/dns/root.key root@7a4afa69b0d4:/# unbound -d -p & [1] 558 root@7a4afa69b0d4:/# dig @127.0.0.1 dnssec-failed.org +dnssec ;; communications error to 127.0.0.1#53: timed out ; <<>> DiG 9.19.21-1+b1-Debian <<>> @127.0.0.1 dnssec-failed.org +dnssec ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54302 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 1232 ;; QUESTION SECTION: ;dnssec-failed.org. IN A ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Tue Jun 11 08:58:09 UTC 2024 ;; MSG SIZE rcvd: 46
The issue persists also on CentOS Stream 10 - validated the same way in a container.
