[getdns-users] First release candidate for getdns-1.2.1 - but still trouble

A. Schulze sca at andreasschulze.de
Tue Nov 7 17:03:14 UTC 2017 


Am 07.11.2017 um 13:27 schrieb Willem Toorop:
> Andreas,
> 
> Are you very certain you use the latest  getdns library?  i.e. the 1.2.1
> release candidate from the tarball from the website, or git checkout
> from the release/1.2.1 branch.
I'm very sure to use the right version:

# ldd /usr/bin/stubby | grep getdns
        libgetdns.so.6 => /usr/lib/x86_64-linux-gnu/libgetdns.so.6

# strings /usr/lib/x86_64-linux-gnu/libgetdns.so.6 | grep -F 1.2
1.2.1-rc1
getdns 1.2.1-rc1 configured on 2017-11-07T16:39:09Z for the December 2015 version of the API

>  I have recent commits that make dnssec
> validation work with bind upstreams (i.e. the dnsovertls.sinodun.com
> ones).  You can check by using the getdnsapi.net upstream instead of the
> sinodun (which is unbound and didn't have the issue).

nothing changed between dnsovertls.sinodun.com and getdnsapi.net
 
> Also, I am pretty sure you were able to validate the root DNSKEY rrset
> with the trust anchor you provided (you can check with dig . dnskey
> +dnssec), because otherwise the root-achors.xml and p7s files would have
> been downloaded from data.iana.org.

running "strace -f stubby 2>&1 | grep -e ^open -e ^stat" I found a problem:

stubby try to stat "/etc/unbound/getdns-root.key" which did not exist.
I copied my /etc/unbound/root.key to that name and get answers now.
But only for questions without DO flag.

> About that.  If you do not configure a trust-anchor and don't have a
> trust-anchor on the default location, getdns will fetch them from
> iana.org for you.
I never saw any download activity.

> The actual output of stubby -i might be helpful.
# cat .stubby.yml
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
dnssec_return_status: GETDNS_EXTENSION_TRUE
listen_addresses:
  - 127.0.0.1
upstream_recursive_servers:
  - address_data: 185.49.141.37
    tls_auth_name: "getdnsapi.net"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q=

# stubby -i > /tmp/stubby-i.txt 2>&1

... file attached ...

one other point to note:
using strace I also saw stubby try to find the CA file in /etc/ssl/certs.
There is no other error message then "validation failed" if a required CA file is not present.


Andreas
-------------- next part --------------
[16:55:47.352587] STUBBY: Read config from file /root/.stubby.yml
Result: Config file syntax is valid.
{
  "all_context":
  {
    "appdata_dir": <bindata of "/root/.getdns/">,
    "append_name": GETDNS_APPEND_NAME_TO_SINGLE_LABEL_FIRST,
    "dns_transport_list":
    [
      GETDNS_TRANSPORT_TLS
    ],
    "dnssec_allowed_skew": 0,
    "edns_client_subnet_private": 1,
    "edns_do_bit": 0,
    "edns_extended_rcode": 0,
    "edns_version": 0,
    "follow_redirects": GETDNS_REDIRECTS_FOLLOW,
    "idle_timeout": 10000,
    "limit_outstanding_queries": 0,
    "namespaces":
    [
      GETDNS_NAMESPACE_LOCALNAMES,
      GETDNS_NAMESPACE_DNS
    ],
    "resolution_type": GETDNS_RESOLUTION_STUB,
    "round_robin_upstreams": 1,
    "suffix": [],
    "timeout": 5000,
    "tls_authentication": GETDNS_AUTHENTICATION_REQUIRED,
    "tls_backoff_time": 3600,
    "tls_connection_retries": 2,
    "tls_query_padding_blocksize": 256,
    "trust_anchors_url": <bindata of "http://data.iana.org/root-anchor"...>,
    "trust_anchors_verify_CA": <bindata of 0x2d2d2d2d2d424547494e204345525449...>,
    "trust_anchors_verify_email": <bindata of "dnssec at iana.org">,
    "upstream_recursive_servers":
    [
      {
        "address_data": <bindata for 185.49.141.37>,
        "address_type": <bindata of "IPv4">,
        "tls_auth_name": <bindata of "getdnsapi.net">,
        "tls_pubkey_pinset":
        [
          {
            "digest": <bindata of "sha256">,
            "value": <bindata of foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q=>
          }
        ]
      }
    ]
  },
  "api_version_number": 132058112,
  "api_version_string": <bindata of "December 2015">,
  "compilation_comment": <bindata of "getdns 1.2.1-rc1 configured on 2"...>,
  "implementation_string": <bindata of "https://getdnsapi.net">,
  "listen_addresses":
  [
     <bindata of 0x7f000001>
  ],
  "resolution_type": GETDNS_RESOLUTION_STUB,
  "trust_anchor_file": <bindata of "/etc/unbound/getdns-root.key">,
  "version_number": 16908481,
  "version_string": <bindata of "1.2.1-rc1">
}

More information about the Users mailing list