Re: unbound signature expired

Mon, 18 Mar 2024 11:44:24 -0700 

They seem to be using extremely short-lived signatures, probably created
by an online-signer.

$ dig +short ns slack.com
ns-1493.awsdns-58.org.
ns-166.awsdns-20.com.
ns-1901.awsdns-45.co.uk.
ns-606.awsdns-11.net.

$ TZ=UTC dig @ns-1493.awsdns-58.org. +norec +dnssec +multiline +nocrypto 
slack.com

; <<>> DiG 9.18.24 <<>> @ns-1493.awsdns-58.org. +norec +dnssec +multiline 
+nocrypto slack.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8196
;; flags: qr aa ad; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;slack.com.             IN A

;; ANSWER SECTION:
slack.com.              60 IN A 18.134.215.41
slack.com.              60 IN A 18.169.120.191
slack.com.              60 IN A 18.168.172.238
slack.com.              60 IN A 18.169.61.189
slack.com.              60 IN RRSIG A 13 2 60 (
                                20240318194315 20240318174215 8040 slack.com.
                                [omitted] )

;; Query time: 44 msec
;; SERVER: 2600:9000:5305:d500::1#53(ns-1493.awsdns-58.org.) (UDP)
;; WHEN: Mon Mar 18 18:42:15 UTC 2024
;; MSG SIZE  rcvd: 207

The signature is only valid for an hour.
Wild guess, your time is off.


On 2024-03-18 19:20 +01, Evan Sherwood <nee...@ton618.org> wrote:
> I have an unbound server using Quad9 as an upstream DNS provider. I have
> been unable to resolve records from slack.com recently using my local
> unbound.
>
> On the server:
>
> ```
> # dig @::1 slack.com
>
> ; <<>> dig 9.10.8-P1 <<>> @::1 slack.com
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54174
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ; EDE: 7 (Signature Expired): 76 61 6c 69 64 61 74 69 6f 6e 20 66 61
> 69 6c 75 72 65 20 3c 73 6c 61 63 6b 2e 63 6f 6d 2e 20 41 20 49 4e 3e
> 3a 20 73 69 67 6e 61 74 75 72 65 20 65 78 70 69 72 65 64 20 66 72 6f
> 6d 20 32 36 32 30 3a 66 65 3a 3a 66 65 ("validation failure
> <slack.com. A IN>: signature expired from 2620:fe::fe")
> ;; QUESTION SECTION:
> ;slack.com.                     IN      A
>
> ;; Query time: 26 msec
> ;; SERVER: ::1#53(::1)
> ;; WHEN: Mon Mar 18 18:02:25 PDT 2024
> ;; MSG SIZE  rcvd: 116
> ```
>
> But when I try to query Quad9 directly, it works:
>
> ```
> # dig @2620:fe::fe slack.com
>
> ; <<>> dig 9.10.8-P1 <<>> slack.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2705
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ;; QUESTION SECTION:
> ;slack.com.                     IN      A
>
> ;; ANSWER SECTION:
> slack.com.              10      IN      A       35.81.85.251
> slack.com.              10      IN      A       44.234.235.93
> slack.com.              10      IN      A       54.70.179.16
> slack.com.              10      IN      A       44.237.180.172
> slack.com.              10      IN      A       52.89.90.67
> slack.com.              10      IN      A       54.245.50.245
> slack.com.              10      IN      A       54.188.33.22
> slack.com.              10      IN      A       54.71.95.193
> slack.com.              10      IN      A       35.82.91.193
>
> ;; Query time: 2 msec
> ;; SERVER: 2620:fe::fe#53(2620:fe::fe)
> ;; WHEN: Mon Mar 18 18:05:05 PDT 2024
> ;; MSG SIZE  rcvd: 182
> ```
>
> I've tried
>
> - `unbound-control reload`
> - `unbound-control flush slack.com`
> - `unbound-anchor`
>
> ... and there's no change. All other domains I've tried work.
>
> I am using one of StevenBlack's block lists and I changed that recently
> (from one list to another one), if that's relevant.
>
> I tried removing the block list entirely and saw no change.
>
> Here's my unbound.conf:
>
> ```
> server:
>         interface: ::1
>         interface: xxxx:xxxx:xxxx:xxxx::xxxx
>         do-ip6: yes
>         ede: yes
>         do-nat64: yes
>         access-control: ::0/0 refuse
>         access-control: ::1 allow
>         access-control: xxxx:xxxx:xxxx:xxxx::xxxx allow
>         access-control: 192.168.1.0/32 allow
>         access-control: xxxx:xxxx:xxxx:5700::/64 allow
>         access-control: xxxx:xxxx:xxxx:5702::/64 allow
>         do-not-query-localhost: no
>         hide-identity: yes
>         hide-version: yes
>         auto-trust-anchor-file: "/var/unbound/db/root.key"
>         val-log-level: 2
>         aggressive-nsec: yes
>         private-address: ::1/128
>         private-address: ::ffff:0:0/96
>         private-address: fd00::/8
>         private-address: fe80::/10
>         module-config: "dns64 validator iterator"
>         include: /etc/unwind.conf.deny
>
> remote-control:
>         control-enable: yes
>         control-interface: /var/run/unbound.sock
>
> forward-zone:
>         name: "."
>         forward-addr: 2620:fe::fe
> ```
>
> This feels like a caching issue to me, but I don't know what to do to
> resolve it.
>
> Unbound logs show the same error from the failing dig command.
>
> Would appreciate any help.
>

-- 
In my defence, I have been left unsupervised.

Reply via email to