[getdns-users] First release candidate for getdns-1.2.1 - but still trouble

Willem Toorop willem at nlnetlabs.nl
Tue Nov 7 12:27:45 UTC 2017 

Andreas,

Are you very certain you use the latest  getdns library?  i.e. the 1.2.1
release candidate from the tarball from the website, or git checkout
from the release/1.2.1 branch.  I have recent commits that make dnssec
validation work with bind upstreams (i.e. the dnsovertls.sinodun.com
ones).  You can check by using the getdnsapi.net upstream instead of the
sinodun (which is unbound and didn't have the issue).

Also, I am pretty sure you were able to validate the root DNSKEY rrset
with the trust anchor you provided (you can check with dig . dnskey
+dnssec), because otherwise the root-achors.xml and p7s files would have
been downloaded from data.iana.org.

About that.  If you do not configure a trust-anchor and don't have a
trust-anchor on the default location, getdns will fetch them from
iana.org for you.

The actual output of stubby -i might be helpful.
Could you send that off-list?

-- Willem

Op 06-11-17 om 20:48 schreef A. Schulze:
> 
> 
> Am 03.11.2017 um 21:50 schrieb Willem Toorop:
> 
>> We have a first release candidate for the upcoming 1.2.1 bugfix release
>> of getdns.
> 
> Hello Willem,
> 
> I compiled the version - no warnings - no noise.
> 
> But - unrelated to this version - I have still trouble if "dnssec_return_status: GETDNS_EXTENSION_TRUE" is enabled.
> In this case I get no answers.
> 
> here is my working setup:
> 
> # cat /etc/resolv.conf
> nameserver 127.0.0.1
> 
> # cat /etc/unbound/root.key
> . IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
> . IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
> 
> # cat /root/.stubby.yml
> dns_transport_list:
>   - GETDNS_TRANSPORT_TLS
> tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
> #dnssec_return_status: GETDNS_EXTENSION_TRUE
> listen_addresses:
>   - 127.0.0.1
> upstream_recursive_servers:
>   - address_data: 145.100.185.15
>     tls_auth_name: "dnsovertls.sinodun.com"
>     tls_pubkey_pinset:
>       - digest: "sha256"
>         value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=
> 
> # stubby -C /root/.stubby.yml -i > /dev/null | tail -n 1
> [19:25:53.102282] STUBBY: Read config from file /root/.stubby.yml
> Result: Config file syntax is valid.
> 
> # stubby -C /root/.stubby.yml &
> 
> # dig dnssec-failed.org +dnssec +noall +answer
> 
> ;; ANSWER SECTION:
> dnssec-failed.org.      7155    IN      A       69.252.80.75
> dnssec-failed.org.      7155    IN      RRSIG   A 5 2 7200 20171113150538 20171102150038 44973 dnssec-failed.org. juxwes...nsQE=
> 
> # dig andreasschulze.de +dnssec +noall +answer
> 
> ;; ANSWER SECTION:
> andreasschulze.de.      439     IN      A       188.194.67.116
> andreasschulze.de.      544     IN      RRSIG   A 8 2 600 20171116191712 20171106191712 29011 andreasschulze.de. LWfRy...gg==
> 
> I expect to get no answer for dnssec-failed.org if I enable "dnssec_return_status: GETDNS_EXTENSION_TRUE"
> If I restart stubby I get this:
> 
> # dig dnssec-failed.org +dnssec
> 
> ; <<>> DiG 9.10.3-P4-Debian <<>> dnssec-failed.org +dnssec
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 61836
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> ;; WARNING: recursion requested but not available
> 
> ;; QUESTION SECTION:
> ;dnssec-failed.org.             IN      A
> 
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Mon Nov 06 20:38:54 CET 2017
> ;; MSG SIZE  rcvd: 35
> 
> -> that's fine!
> but:
> 
> # dig andreasschulze.de +dnssec
> 
> ; <<>> DiG 9.10.3-P4-Debian <<>> andreasschulze.de +dnssec
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 33838
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> ;; WARNING: recursion requested but not available
> 
> ;; QUESTION SECTION:
> ;andreasschulze.de.             IN      A
> 
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Mon Nov 06 20:43:03 CET 2017
> ;; MSG SIZE  rcvd: 35
> 
> That's not so good :-/
> 
> The only thing I noticed: a new directory "/root/.getdns/" was created. But the directory is empty.
> Do I misunderstood something completely wrong or are some files missing in my package?
> 
> Andreas
> _______________________________________________
> Users mailing list
> Users at getdnsapi.net
> https://getdnsapi.net/mailman/listinfo/users
>

More information about the Users mailing list