Re: Some sites not resolving (DNSSEC?)

Wed, 23 May 2018 09:10:04 -0700 

On 23.5.2018 15:58, Petr Špaček via Unbound-users wrote:

On 23.5.2018 15:46, W.C.A. Wijngaards via Unbound-users wrote:

Hi Hank,

On 23/05/18 15:23, Hank Barta via Unbound-users wrote:

Hi all,
I use pfsense for my firewall and have selected the unbound resolver for
DNS on my home LAN. I have configured this to use Cloudflare DNS with
DNSSEC enabled.  In addition to checking the "Enable DNSSEC Support"
checkbox on the DNS Resolver configuration page I have added the custom
options


The 1.1.1.1 server responds without DNSSEC for coder.show DS queries.
And for an insecure referral it needs DS denial information for type DS,
eg. the NSEC or NSEC3 from the .show TLD.

Without the forward to 1.1.1.1 it works fine for me.  So it doesn't seem
to be the .show TLD or coder.show site, but the 1.1.1.1 unsigned CNAME
for qtype DS.

A workaround is domain-insecure: "coder.show" in unbound.conf


This is most likely a bug in Knot Resolver and we are working on fix:
https://gitlab.labs.nic.cz/knot/knot-resolver/issues/359


For the record:
We found out that domain coder.show is misconfigured in a way which breaks even 30 years old DNS standards. 

See this:

$ dig +dnssec @ns2.hover.com. coder.show DS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50641
;; flags: qr rd; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;coder.show.                    IN      DS

;; ANSWER SECTION:
coder.show.             900     IN      CNAME   hosted.fireside.fm.


$ dig +dnssec @ns2.hover.com. coder.show NS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24968
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2

;; QUESTION SECTION:
;coder.show.                    IN      NS

;; ANSWER SECTION:
coder.show.             900     IN      NS      ns2.hover.com.
coder.show.             900     IN      NS      ns1.hover.com.
I.e. this domain has CNAME at the apex which is violation of DNS standards, namely 
https://tools.ietf.org/html/rfc1034#section-3.6.2
Please contact domain owner and ask for a fix. (It seems that all the domains mentioned in the ticket have the same issue.)
It might work elsewhere but this is not guaranteed (i.e. works accidentally). 

Thank you for understanding.

--
Petr Špaček  @  CZ.NIC

Reply via email to