These are chat archives for CZ-NIC/knot-resolver

14th
Feb 2019
edoo
@ookangzheng
Feb 14 03:23
Capto_Capture 2019-02-14_11-21-11_AM.png
I got this message, what does it mean
Robert Šefr
@robcza
Feb 14 08:24

we have encountered a dnssec validation issue with domain kamery.humlnet.cz. Tested on on kres 2.4.1 and 3.2.1, same result [vldr] <= bad keys, broken trust chain
https://gist.github.com/robcza/26d8157f5483129f941ed66a578d4f9d

However I was not able to confirm the DNSSEC issue anywhere else. Is it because kres is more strict?

Vladimír Čunát
@vcunat
Feb 14 08:28
There are some expired keys/signatures; I'll have to look in more detail if it's still acceptable or not. Apparently it is accepted by big resolvers. http://dnsviz.net/d/kamery.humlnet.cz/dnssec/
Robert Šefr
@robcza
Feb 14 08:30
even with cloudflare, which is confusing as I would expect their resolver will behave basically the same in terms of dnssec
Petr Špaček
@pspacek
Feb 14 08:31
Well, it does validate for me using BIND...
It seems that only orion.humlnet.cz. 3505 IN A 194.12.32.253 has old signatures.
alpha.humlnet.cz. seems to be okay, so you might have had bad luck. We are aware of bug where kresd does not retry after SERVFAIL and working on fix right now.
[This might be somehow related.]
Vladimír Čunát
@vcunat
Feb 14 08:34
kdig @orion.humlnet.cz. kamery.humlnet.cz. +dnssec +nocr
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 39937
;; Flags: qr aa rd; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: NOERROR

;; QUESTION SECTION:
;; kamery.humlnet.cz.           IN      A

;; ANSWER SECTION:
kamery.humlnet.cz.      3600    IN      A       194.12.32.197
kamery.humlnet.cz.      3600    IN      RRSIG   A 7 3 3600 20190201234709 20190102225019 54269 humlnet.cz. [omitted]

;; Received 360 B
;; Time 2019-02-14 09:34:39 CET
;; From 194.12.32.253@53(UDP) in 10.1 ms
Swapped the date of inception and expiry, very funny.
Petr Špaček
@pspacek
Feb 14 08:36
Nope, this is correct ordering. First expiry and then inception. See https://tools.ietf.org/html/rfc4034#section-3.2 and https://tools.ietf.org/html/rfc4034#section-3.1
Vladimír Čunát
@vcunat
Feb 14 08:38
Exactly.
The first date is in the past.
And the second one is in the future.
Their other NS answers it right.
But it doesn't answer over UDPv6.
(perhaps because the answer has 1668 bytes)
Robert Šefr
@robcza
Feb 14 08:39
they both seem in the past :O
Vladimír Čunát
@vcunat
Feb 14 08:39
Ah, right, thanks :-)
I'm not good at reading these chunks of digits.
Robert Šefr
@robcza
Feb 14 08:40
:)
Vladimír Čunát
@vcunat
Feb 14 08:40
Anyway, it's a bad signature.
Petr Špaček
@pspacek
Feb 14 08:40
In any case kresd have retried other servers. We should improve this ...
Robert Šefr
@robcza
Feb 14 08:41
:thumbsup: thanks a lot, have to bookmark dnsviz, I always forget this tool
Vladimír Čunát
@vcunat
Feb 14 09:05
@ookangzheng: it means that kresd crashed but it doesn't show any hint about the cause. sudo coredumpctl info might show useful stack trace, especially if you have debugging symbols installed for kresd.
edoo
@ookangzheng
Feb 14 09:08
Nope, nothing return
just some random crash I think. While I load external hints file.
Vladimír Čunát
@vcunat
Feb 14 09:17
Is it reproducible with loading that file again?
micah
@micah
Feb 14 14:09
@vcunat in case you need any further debugging info from me regarding the issue with things falling back into SERVFAIL state, I'm only able to provide it in the next two days. After that I will be AFK for 2 weeks. Don't mean to put pressure, just wanted to let you know in case you needed something and then can't get me to respond and think I gave up :)
Vladimír Čunát
@vcunat
Feb 14 14:11
@micah: I believe I have all the necessary information from you, but apparently it won't be as fast as I hoped.
edoo
@ookangzheng
Feb 14 14:55

@vcunat yap
my configure

modules = {
        'policy',
        'hints > iterate',
        'serve_stale < cache',
        'workarounds < iterate’
}

hints.add_hosts('/etc/knot-resolver/hints.list')

Inside my hints.list,

2404:6800:4008:c06::be      scholar.google.com
2404:6800:4008:c06::be      scholar.google.com.hk
2404:6800:4008:c06::be      scholar.google.com.tw
2404:6800:4005:805::200e    scholar.google.cn #www.google.cn

127.0.0.1 wpad.lan
127.0.0.1 wpad
127.0.0.1 foo.bar
127.0.0.1 example
127.0.0.1 local
127.0.0.1 i2p
127.0.0.1 home
127.0.0.1 zghjccbob3n0
127.0.0.1 dhcp
127.0.0.1 lan
127.0.0.1 localdomain
127.0.0.1 ip
127.0.0.1 internal
127.0.0.1 openstacklocal
127.0.0.1 dlink
127.0.0.1 gateway
127.0.0.1 corp
127.0.0.1 workgroup
127.0.0.1 belkin
127.0.0.1 davolink
127.0.0.1 z
127.0.0.1 domain
127.0.0.1 virtualmin
Petr Špaček
@pspacek
Feb 14 15:13
@ookangzheng I'm unable to reproduce your problem, it does not crash on my machine. Please make sure you are using the version 3.2.1.
edoo
@ookangzheng
Feb 14 15:14
yap, latest version on Debian9
Petr Špaček
@pspacek
Feb 14 15:14
Is it 3.2.1? AFAIK Debian does not ship this version in official repos ...
Try command dpkg -l knot-resolver
edoo
@ookangzheng
Feb 14 15:15
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version      Architecture Description
+++-==============-============-============-=======================================
ii  knot-resolver  3.2.1-1      amd64        caching, DNSSEC-validating DNS resolver
Petr Špaček
@pspacek
Feb 14 15:16
Interesting. I have no idea why it could crash. I've tried to make the file unreadable but that triggers normal error message, not a crash.
edoo
@ookangzheng
Feb 14 15:18
will it show error message when I run with -v?
Petr Špaček
@pspacek
Feb 14 15:19
An error message about unreadable file will be displayed even without -v.
edoo
@ookangzheng
Feb 14 15:27
I put them into this hints['localhost'] = '::1’
then no problem
Petr Špaček
@pspacek
Feb 14 15:27
Sorry, I do not understand. Can you rephrase it?
edoo
@ookangzheng
Feb 14 15:29
I mean I put all domain names from hints.list into this
hints['localhost'] = '::1’
Then everything works fine.
Petr Špaček
@pspacek
Feb 14 15:29
I see. That's very interesting ... so it problem might really be in the file loading.
Please try to run strace -f kresd <kresd params as usual>... and let it crash. Then paste last couple lines from output (it will be huge, last 20 lines should be enough).
edoo
@ookangzheng
Feb 14 15:35
no crash so far, I will run with screen cmd, put it for couple hours and see what will happen.
edoo
@ookangzheng
Feb 14 15:46
1 question, does knot-resolver support EDNS client subnet?
Can I try with this cmd?
kdig @::1 dig-7.kxcdn.com +client=70.155.255.2
Petr Špaček
@pspacek
Feb 14 15:46
Knot Resolver does not support ECS so it will be ignored.
edoo
@ookangzheng
Feb 14 15:46
cool
edoo
@ookangzheng
Feb 14 16:29
Does this matter?
image.png
I ran spoofability test, here is the result: Good, not Excellent
image.png
Petr Špaček
@pspacek
Feb 14 16:39
Two datapoints are not enough to say anything about it.
Oh, I haven't seen the laster message ;-)
Petr Špaček
@pspacek
Feb 14 16:49
It depends on how they are testing it. Source port randomization is done by kernel so it is as good as your operating system.
(Usually OS does not try so hard if the peer IP address is the same, it would try harder if they were testing from 5000 distinct IP addresses.)
I have to go, see you later!
Please post the URL here so we can see later on.
Vladimír Čunát
@vcunat
Feb 14 17:51
This is from grc.com - I had seen these tests long ago, but I found no issue in kresd based on them.