dnsmasq returns (false) "bogus" result for DNSSEC validation

dnsmasq dnssec debian-jessie
5,636

Solution 1

That's due to CloudFlare(CDN provider of IETF) choosing ECDSAP256SHA256 as their signature algorithm. Dnsmasq has implemented ECDSA since 2.69, however it was broken and not fixed until 2.73 which was released in March 2015. Thus, you'll need a newer dnsmasq or patched version to resolve it correctly.

From the dnsmasq change log in the 2.73 section:

Fix broken DNSSEC validation of ECDSA signatures.

From the Cloudflare DS record set:

cloudflare.net. 86400 IN DS 2371 13 2 90F710A107DA51ED78125D30A68704CF3C0308AFD01BFCD7057D4BD0 3B62C68B

The 13 is the algorithm type. Each allowed algorithm in DNSSEC has a specified number. Algorithm 13 is ECDSA with a P-256 curve using SHA-256.

Finally dig +trace ds www.ietf.org includes a CNAME record going through Cloudflare.

www.ietf.org. 1800 IN CNAME www.ietf.org.cdn.cloudflare-dnssec.net.

Solution 2

Its happening to me using the latest dnscrypt 2.0.8 and the latest dnssec 2.79; This was temporary and lasted for only 12 minutes.

So it is not limited to earlier versions. According to the section "DNS Pitfalls" in A Case for Comprehensive DNSSEC Monitoring and Analysis Tools (emphasis added):

B. Bogus validation caused by misconfiguration

In this section we describe some of the causes of validation failures from a perspective of misconfiguration. In any case, an RRset deemed bogus also invalidates any dependent RRsets. For example, a bogus DNSKEY RRset means that all of the RRsets whose RRSIGs would be potentially validated by those DNSKEYs are also bogus.

...

Bogus: The validator is unable to form a chain of trust between the RRset and a trust anchor and is unable to securely show that no such chain should exist. Example: an expired RRSIG covering an RRset in the secure.com results a bogus response; likewise, the presence of a DS for the broken.com zone, in which there are no DNSKEYs present, results in a bogus status for any RRset in the zone

While a secure validation is ideal, an insecure outcome is also usable and is equivalent to normal, unauthenticated name resolution. However, a bogus outcome is an indicator that validation failed—either because the DNS data has been tampered with or because of misconfiguration. The response returned to a recursive (i.e., on behalf of another client) query which a validator renders bogus has SERVFAIL error status and contains no DNS data, an indication of general name resolution failure. An end user cannot distinguish a SERVFAIL response caused by data tampering from one caused by misconfiguration. In either case, however, the end result is the same: the name in question cannot be resolved. This study focuses on bogus validation caused by misconfiguration.

Share:
5,636

Related videos on Youtube

comfreak
Author by

comfreak

Updated on September 18, 2022

Comments

  • comfreak
    comfreak almost 2 years

    I'm running a local Debian 8.1 installation with a DNSSEC-validating DNS-Resolver called dnsmasq (version 2.72-3+deb8u1).

    I set it up to return a SERVFAIL if it isn't able to validate a DNSSEC-enabled domain, i.e. if the domain has a DNSSEC entry it must validate correctly in order to be forwarded on to the client.

    While I was browsing today I wanted to visit the rather famous site of the IETF but I couldn't because the domain couldn't be resolved. I checked with the commandline to verify this and I got indeed a SERVFAIL. I checked with the Google DNS server (8.8.8.8) and got no SERVFAIL but the IP address.

    After that I enabled logging for each dns request and checked the results. It seems that my feeling was right and the DNSSEC validation failed, even though it got the same response from the DNS forwarders like I got from Google.

    Here the corresponding lines of my syslog:

    Sep  5 13:27:13 dnsmasq: query[A] www.ietf.org from 192.168.1.10
Sep  5 13:27:13 dnsmasq: forwarded www.ietf.org to 81.3.21.188
Sep  5 13:27:13 dnsmasq: forwarded www.ietf.org to 178.63.73.246
Sep  5 13:27:13 dnsmasq: dnssec-query[DNSKEY] ietf.org to 81.3.21.188
Sep  5 13:27:13 dnsmasq: dnssec-query[DS] ietf.org to 81.3.21.188
Sep  5 13:27:13 dnsmasq: dnssec-query[DNSKEY] org to 81.3.21.188
Sep  5 13:27:13 dnsmasq: dnssec-query[DS] org to 81.3.21.188
Sep  5 13:27:13 dnsmasq: dnssec-query[DNSKEY] . to 81.3.21.188
Sep  5 13:27:13 dnsmasq: reply . is DNSKEY keytag 1518
Sep  5 13:27:13 dnsmasq: reply . is DNSKEY keytag 19036
Sep  5 13:27:13 dnsmasq: reply org is DS keytag 21366
Sep  5 13:27:13 dnsmasq: reply org is DS keytag 21366
Sep  5 13:27:13 dnsmasq: reply org is DNSKEY keytag 19629
Sep  5 13:27:13 dnsmasq: reply org is DNSKEY keytag 21366
Sep  5 13:27:13 dnsmasq: reply org is DNSKEY keytag 9795
Sep  5 13:27:13 dnsmasq: reply org is DNSKEY keytag 12023
Sep  5 13:27:13 dnsmasq: reply ietf.org is DS keytag 45586
Sep  5 13:27:13 dnsmasq: reply ietf.org is DS keytag 45586
Sep  5 13:27:13 dnsmasq: reply ietf.org is DNSKEY keytag 45586
Sep  5 13:27:13 dnsmasq: reply ietf.org is DNSKEY keytag 40452
Sep  5 13:27:13 dnsmasq: dnssec-query[DNSKEY] cloudflare-dnssec.net to 81.3.21.188
Sep  5 13:27:13 dnsmasq: dnssec-query[DS] cloudflare-dnssec.net to 81.3.21.188
Sep  5 13:27:13 dnsmasq: dnssec-query[DNSKEY] net to 81.3.21.188
Sep  5 13:27:13 dnsmasq: dnssec-query[DS] net to 81.3.21.188
Sep  5 13:27:13 dnsmasq: reply net is DS keytag 35886
Sep  5 13:27:13 dnsmasq: reply net is DNSKEY keytag 45464
Sep  5 13:27:13 dnsmasq: reply net is DNSKEY keytag 35886
Sep  5 13:27:13 dnsmasq: reply cloudflare-dnssec.net is DS keytag 537
Sep  5 13:27:13 dnsmasq: reply cloudflare-dnssec.net is BOGUS DNSKEY
Sep  5 13:27:13 dnsmasq: validation result is BOGUS
Sep  5 13:27:13 dnsmasq: reply www.ietf.org is <CNAME>
Sep  5 13:27:13 dnsmasq: reply www.ietf.org.cdn.cloudflare-dnssec.net is 104.20.0.85
Sep  5 13:27:13 dnsmasq: reply www.ietf.org.cdn.cloudflare-dnssec.net is 104.20.1.85

    Now I am not sure if the domain is temporarily misconfigured or my connection is being tampered with or if my DNS server is misconfigured, even though every other domain so far worked fine, including "ietf.org" (without the www).

    If someone could help me trace the issue, I would be thankful.

    • comfreak
      comfreak over 8 years
      After a month this issue still seems to be present, so it is probably not that my connection is being tampered with, but I am still confused about what is causing this weird behaviour.
  • comfreak
    comfreak over 8 years
    Thanks for your answer to this rather old question. Since I couldn't upgrade to the newer version (Debian only has 2.72 in its wheezy repo) I decided to switch to unbound which seems to work as well.
  • Massimo
    Massimo about 5 years
    A long time ago... but I think useful: it is easy to compile dnsmasq from its source code.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to block domains using Bind / Named for local protection?
When “vagrant up” it says “It appears your machine doesn't support NFS” (Debian jessie)
Debian 8: unable to locate package
DNSMasq forwarding on specific domains
Setting Up Docker Dnsmasq
Can not restart dnsmasq due to " configuration syntax check [fail]"
/var/run/dnsmasq/resolv.conf nameserver contents
how to setup split-dns for vpn with network-manager
Lost editing DNS config in Ubuntu 18.04
Troubleshooting dnsmasq