Skip to content

resolve: place RRSIG after the corresponding entries#23289

Merged
keszybz merged 6 commits intosystemd:mainfrom
yuwata:resolve-answer-add-rrsig
May 12, 2022
Merged

resolve: place RRSIG after the corresponding entries#23289
keszybz merged 6 commits intosystemd:mainfrom
yuwata:resolve-answer-add-rrsig

Conversation

@yuwata
Copy link
Copy Markdown
Member

@yuwata yuwata commented May 6, 2022

Fixes #22002.

@yuwata yuwata added the resolve label May 6, 2022
@yuwata
Copy link
Copy Markdown
Member Author

yuwata commented May 6, 2022

cc @pemensik and @mrc0mmand.

@yuwata yuwata added the ci-fails/needs-rework 🔥 Please rework this, the CI noticed an issue with the PR label May 6, 2022
@yuwata yuwata force-pushed the resolve-answer-add-rrsig branch from 0ba81d6 to 986201c Compare May 6, 2022 19:52
@yuwata yuwata added please-review and removed ci-fails/needs-rework 🔥 Please rework this, the CI noticed an issue with the PR labels May 6, 2022
yuwata added 6 commits May 7, 2022 15:14
@yuwata
resolve: use dns_answer_isempty() at one more place
6edf21d
@yuwata
resolve: first increment the reference counter
4ce30e4 
When `exist->rr` and `rr` point to the same object, then it may be freed by
the `dns_resource_record_unref()`.
@yuwata
ordered-set: introduce ordered_set_reserve()
0bb7324
@yuwata
resolve: manage DnsAnswerItem with OrderedSet
71aee23 
Previously, we manage DnsAnswerItem by an array and Set,
The array was used for the order of the items, and the set is used to
dedup items.
Let's use OrderedSet, then we can simplify the logic.

This fixes dns_answer_remove_by_key() and dns_answer_remove_by_rr()
which makes the set in a broken state.
@yuwata
resolve: move the RRSIG after the all corresponding entries
388c92c 
Fixes systemd#22002.
@yuwata
resolve: fix false maybe-uninitialized warning
d1b8e56
@yuwata yuwata force-pushed the resolve-answer-add-rrsig branch from 986201c to d1b8e56 Compare May 7, 2022 06:15
@mrc0mmand
Copy link
Copy Markdown
Member

mrc0mmand commented May 11, 2022

After adding the patches to #23104 it still complains:

Without resolved:

# delv @1.2.3.1 signed.test
;; /etc/bind.keys:1: option 'managed-keys' is deprecated
; fully validated
signed.test.		86400	IN	A	1.2.3.10
signed.test.		86400	IN	RRSIG	A 13 2 86400 20220525131112 20220511114112 10755 signed.test. jwTj/pd5vh9j4ZCu8rK8is7smeiwgALkmVtqslJfXipposoTYMAKCJcm wnyY0mxFCJKvExrH=

With resolved:

# delv  signed.test
;; /etc/bind.keys:1: option 'managed-keys' is deprecated
;; validating ./DNSKEY: got insecure response; parent indicates it should be secure
;; insecurity proof failed resolving './DNSKEY/IN': 127.0.0.53#53
;; broken trust chain resolving 'test/DS/IN': 127.0.0.53#53
;; broken trust chain resolving 'test/DNSKEY/IN': 127.0.0.53#53
;; broken trust chain resolving 'signed.test/DS/IN': 127.0.0.53#53
;; broken trust chain resolving 'signed.test/DNSKEY/IN': 127.0.0.53#53
;; broken trust chain resolving 'signed.test/A/IN': 127.0.0.53#53
;; resolution failed: broken trust chain

And the only difference, so far, seems to be that resolved doesn't return RRSIG for root zone DNSKEY RR?

Without resolved:

# dig @1.2.3.1 +dnssec +short dnskey signed.test
256 3 13 pLtYuApAJhjlA5xedo32jDbaZq8+G/Oqy3nfnqtusvMQGLs29APklfaM u6v5ebX6KDWJHByoMr8FOXL10SHhQg==
257 3 13 rGzgvSaq2Q1cpAR34Fv0OpkSzNQOyIrQscXZTyO/sfe5bu4MLiF6mCNy gGacPO2iQ+/doQlL3+hrfeSES/yzbw==
DNSKEY 13 2 86400 20220525131112 20220511114112 65295 signed.test. +JIwgFoyd6fJGBVS0rYT9i1iaeTMK8p/d/h8mYlOrHq2Re9YqckwBX3q tGvUCUNd8dRnlk8TBfFDxD8pTeBmfw==
# dig @1.2.3.1 +dnssec +short dnskey test
256 3 13 Jx+3nXOTQhvtUMlqya7LT3gFfcmqzpP4luOkXmL30UMGLs1RBSqe1TWk v+QWOBe9RixCS51JUHIp2QpiXqx26Q==
257 3 13 nI3RcsQkLx9DPcJfzV3NDqRkhRPmQcjvK+DD1g/6pvFPuwMTs2/iP2E+ 37NI0izi4SHxtfkF5w+xkw6OhWNbbw==
DNSKEY 13 1 86400 20220525131112 20220511114112 30639 test. KJ6JRYhA7cEk70rZ2uou4tgnoxzKgtp6FbeJfGReC0g0eV/xK8R4x2JF sCjKvZcj4cORqGLgoSONo546su9Nvg==
# dig @1.2.3.1 +dnssec +short dnskey .
257 3 13 IoJ9t7bCYyo6oquLl8PCcH4a3IbXgBpl7nWRZvcgwG00rNdwj2Um8f04 yxxNXIkXGiGZ0zgp8YWYI4siwHNa+A==
DNSKEY 13 0 300 20220525131112 20220511114112 29 . n/V+lgybm7N+2dLc3cHmYZkfkgm5D+4ZsX7p/mImJNYwQczfbZsbFzvV JgwYfcYHHxZq/RlHWSgjTgrEU8OwRQ==

With resolved:

# dig  +dnssec +short dnskey signed.test
257 3 13 rGzgvSaq2Q1cpAR34Fv0OpkSzNQOyIrQscXZTyO/sfe5bu4MLiF6mCNy gGacPO2iQ+/doQlL3+hrfeSES/yzbw==
256 3 13 pLtYuApAJhjlA5xedo32jDbaZq8+G/Oqy3nfnqtusvMQGLs29APklfaM u6v5ebX6KDWJHByoMr8FOXL10SHhQg==
DNSKEY 13 2 86400 20220525131112 20220511114112 65295 signed.test. +JIwgFoyd6fJGBVS0rYT9i1iaeTMK8p/d/h8mYlOrHq2Re9YqckwBX3q tGvUCUNd8dRnlk8TBfFDxD8pTeBmfw==
# dig  +dnssec +short dnskey test
257 3 13 nI3RcsQkLx9DPcJfzV3NDqRkhRPmQcjvK+DD1g/6pvFPuwMTs2/iP2E+ 37NI0izi4SHxtfkF5w+xkw6OhWNbbw==
256 3 13 Jx+3nXOTQhvtUMlqya7LT3gFfcmqzpP4luOkXmL30UMGLs1RBSqe1TWk v+QWOBe9RixCS51JUHIp2QpiXqx26Q==
DNSKEY 13 1 86400 20220525131112 20220511114112 30639 test. KJ6JRYhA7cEk70rZ2uou4tgnoxzKgtp6FbeJfGReC0g0eV/xK8R4x2JF sCjKvZcj4cORqGLgoSONo546su9Nvg==
# dig  +dnssec +short dnskey .
257 3 13 IoJ9t7bCYyo6oquLl8PCcH4a3IbXgBpl7nWRZvcgwG00rNdwj2Um8f04 yxxNXIkXGiGZ0zgp8YWYI4siwHNa+A==

@pemensik
Copy link
Copy Markdown
Contributor

pemensik commented May 11, 2022

Do you test DNSSEC=yes configuration on resolved? DNSSEC=no is know to strip all RRSIG records away.

@mrc0mmand
Copy link
Copy Markdown
Member

mrc0mmand commented May 11, 2022

Do you test DNSSEC=yes configuration on resolved? DNSSEC=no is know to strip all RRSIG records away.

This is with DNSSEC=allow-downgrade, but it behaves the same with DNSSEC=on.

@yuwata
Copy link
Copy Markdown
Member Author

yuwata commented May 12, 2022

Not sure, but maybe, the issue is caused by the line here?
fc68927#diff-bf8fbc294d9f31f686c14aa3d88912ef57da42844fc9cb73d32caf68d52fcdafR52

# Create a trust anchor for resolved with our root zone
keymgr . dnskey | sed 's/ DNSKEY/ IN DNSKEY/g' >/etc/dnssec-trust-anchors.d/root.positive

You can easily confirm the original issue #22002 is fixed by this PR:

$ delv apps.fedoraproject.org
; fully validated
apps.fedoraproject.org.	59	IN	CNAME	wildcard.fedoraproject.org.
apps.fedoraproject.org.	59	IN	RRSIG	CNAME 14 3 300 20220609093624 20220510093624 60624 fedoraproject.org. e3MPdPrgJGJCjkNa7coUywV6oiSGIhBdCjUWIfazFKYRWyfXp23GbcjA fPE10cv4xJ6AA3rqKWDGVfvbv9qePm1xjQKl/lliFfgoSxtNZdHRFcoX sXMhNKfWxpSUorx+
wildcard.fedoraproject.org. 19	IN	A	209.132.190.2
wildcard.fedoraproject.org. 19	IN	A	67.219.144.68
wildcard.fedoraproject.org. 19	IN	A	8.43.85.73
wildcard.fedoraproject.org. 19	IN	A	140.211.169.196
wildcard.fedoraproject.org. 19	IN	A	140.211.169.206
wildcard.fedoraproject.org. 19	IN	A	38.145.60.20
wildcard.fedoraproject.org. 19	IN	A	38.145.60.21
wildcard.fedoraproject.org. 19	IN	A	152.19.134.198
wildcard.fedoraproject.org. 19	IN	A	8.43.85.67
wildcard.fedoraproject.org. 19	IN	A	152.19.134.142
wildcard.fedoraproject.org. 19	IN	RRSIG	A 14 3 60 20220609093624 20220510093624 60624 fedoraproject.org. GcNAsrujIXq+BCcTah0iD2uT0d7edDJLqN5HXPe1Pdtm0VLfrE+7wlEj Z8proejSFv5wAnmGdtRY5EXNVckaeoQ14jGDyYAAtGTB8cnN9x9BT53a MH/QKyVvpiWvd2IC
$ dig +dnssec apps.fedoraproject.org

; <<>> DiG 9.16.28-RH <<>> +dnssec apps.fedoraproject.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47136
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 65494
;; QUESTION SECTION:
;apps.fedoraproject.org.		IN	A

;; ANSWER SECTION:
apps.fedoraproject.org.	34	IN	CNAME	wildcard.fedoraproject.org.
apps.fedoraproject.org.	34	IN	RRSIG	CNAME 14 3 300 20220609093624 20220510093624 60624 fedoraproject.org. e3MPdPrgJGJCjkNa7coUywV6oiSGIhBdCjUWIfazFKYRWyfXp23GbcjA fPE10cv4xJ6AA3rqKWDGVfvbv9qePm1xjQKl/lliFfgoSxtNZdHRFcoX sXMhNKfWxpSUorx+
wildcard.fedoraproject.org. 34	IN	A	38.145.60.20
wildcard.fedoraproject.org. 34	IN	A	209.132.190.2
wildcard.fedoraproject.org. 34	IN	A	67.219.144.68
wildcard.fedoraproject.org. 34	IN	A	140.211.169.196
wildcard.fedoraproject.org. 34	IN	A	8.43.85.73
wildcard.fedoraproject.org. 34	IN	A	38.145.60.21
wildcard.fedoraproject.org. 34	IN	A	152.19.134.198
wildcard.fedoraproject.org. 34	IN	A	152.19.134.142
wildcard.fedoraproject.org. 34	IN	A	140.211.169.206
wildcard.fedoraproject.org. 34	IN	A	8.43.85.67
wildcard.fedoraproject.org. 34	IN	RRSIG	A 14 3 60 20220609093624 20220510093624 60624 fedoraproject.org. GcNAsrujIXq+BCcTah0iD2uT0d7edDJLqN5HXPe1Pdtm0VLfrE+7wlEj Z8proejSFv5wAnmGdtRY5EXNVckaeoQ14jGDyYAAtGTB8cnN9x9BT53a MH/QKyVvpiWvd2IC

;; Query time: 47 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Thu May 12 15:24:42 JST 2022
;; MSG SIZE  rcvd: 524

$ dig +dnssec DNSKEY .

; <<>> DiG 9.16.28-RH <<>> +dnssec DNSKEY .
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39067
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 65494
;; QUESTION SECTION:
;.				IN	DNSKEY

;; ANSWER SECTION:
.			1883	IN	DNSKEY	257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU=
.			1883	IN	DNSKEY	256 3 8 AwEAAak/ZU9wDNQD7XTAGTDkn32UR8I6auRDekbGky+yyWKdUHmwAJv9 0YHCUTib8aVBgNgbxkeeZGRx3W4+XhMZbfUr5fMwmD3u9P2yzJpbRtjG NM/XZvzGs9HHNymz3Bp851anHZfNy6pJud265/XMKzFlAY8sMJjum0hv x/DuCDELLyhsvdfOD9rHM93UXO0bcAjvI8tjZsGI+Pfp9KdxF9vS/sAz pFXKsldix+e6xv8rRS6WPg2LAooxF+eO5DgFSilYmnyCK4VPJ7ntjD/8 m0bs128ZT1eY3oXCbojDv59lLAgrdGSbcVxQF2KHoUHDmkOC5BzG/1xR tW4v/3y4/H8=
.			1883	IN	RRSIG	DNSKEY 8 0 172800 20220601000000 20220511000000 20326 . PkWuz6E+VDmH80HQbpO7cChnMFj9YYs8wS5FP/HOcNBodxhvzpR/9mC5 8GJIpX+w8gZ/O6GyzgeRFCXWm1+LSBOAmRih7B9xBLiyfieHnz3Knwe8 hMW8kDjnJmMjO7SV2rX4kus4dGqRFwkdUgjuraGeRIqhXLUpXb7AVaMO oM08XvykBcuyB7pTrVb9MeFVPLhXjYHghf1NKXaKcUzLkWG3LCA6crWi ePRVpPG4xbYAvjWEt6SV6PwpWWctYORuErx6R5IQ0XSNSP4jK2XmR0J9 mUYMCxa0YOa1Rk2oaFWsU0FQ7fHhdndW8y2+Ol+tF6xWAsgEGXCYWqjL sXAPIg==

;; Query time: 6 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Thu May 12 15:25:14 JST 2022
;; MSG SIZE  rcvd: 864

keszybz
keszybz reviewed May 12, 2022
View reviewed changes
Copy link
Copy Markdown
Member

@keszybz keszybz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

src/resolve/resolved-dns-answer.c
Comment on lines +172 to +174
dns_resource_record_ref(rr);
dns_resource_record_unref(exist->rr);
exist->rr = dns_resource_record_ref(rr); /* lgtm [cpp/inconsistent-null-check] */
exist->rr = rr;
Copy link
Copy Markdown
Member

@keszybz keszybz May 12, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This reminds me of the helper I added in json.c to ref-and-replace-and-unref. We should add a similar one here, but let's do that later.

src/resolve/resolved-dns-answer.c
Comment on lines +63 to +66
if (n > UINT16_MAX - m)
n = UINT16_MAX;
else
n += m;
Copy link
Copy Markdown
Member

@keszybz keszybz May 12, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should add a helper for this, something like saturate_add, but this can be done later.

@keszybz keszybz merged commit cd0cade into systemd:main May 12, 2022
@Tachi107
Copy link
Copy Markdown
Contributor

Tachi107 commented May 12, 2022

Thanks! Will this be part of v251?

@bluca
Copy link
Copy Markdown
Member

bluca commented May 12, 2022

yes

@keszybz keszybz mentioned this pull request May 12, 2022
Merged
@yuwata yuwata deleted the resolve-answer-add-rrsig branch May 12, 2022 16:01
@mrc0mmand mrc0mmand mentioned this pull request Jun 13, 2022
Merged
@Tachi107
Copy link
Copy Markdown
Contributor

Tachi107 commented Jun 15, 2022

Uhm, it seems that this hasn't fixed the issue after all... Or is it still broken just for me?

$ resolvectl --version                                
systemd 251 (251.2-5)
+PAM +AUDIT +SELINUX +APPARMOR +IMA +SMACK +SECCOMP +GCRYPT -GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 -PWQUALITY -P11KIT -QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD -BPF_FRAMEWORK -XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified
$ resolvectl status                                   
Global
         Protocols: +LLMNR +mDNS +DNSOverTLS DNSSEC=yes/supported
  resolv.conf mode: stub
Current DNS Server: 9.9.9.9#dns.quad9.net
       DNS Servers: 9.9.9.9#dns.quad9.net

Link 2 (enp7s0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
         Protocols: +DefaultRoute +LLMNR +mDNS +DNSOverTLS DNSSEC=yes/supported
Current DNS Server: 192.168.178.1
       DNS Servers: 192.168.178.1

Link 3 (virbr0)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=yes/supported
$ resolvectl flush-caches
$ delv +mtrace +vtrace apps.fedoraproject.org         
;; fetch: apps.fedoraproject.org/A
;; received packet from 127.0.0.53#53
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  36375
;; flags: qr rd ra ad; QUESTION: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 65494
;; QUESTION SECTION:
;apps.fedoraproject.org.		IN	A

;; ANSWER SECTION:
;apps.fedoraproject.org.	164	IN	CNAME	wildcard.fedoraproject.org.
;apps.fedoraproject.org.	164	IN	RRSIG	CNAME 14 3 300 (
;						20220714213743 20220614213743 60624 fedoraproject.org.
;						zNLhPUHc58db7IjP6Lg4gx5ZJqCV
;						5bb9hKrU1zYHlMScHOboEBDJhLkd
;						rndKelQMhGpyCepyy9ZeuQWCSdES
;						L5ZBjJ3QnDtOnleBHKhAML4yfAlm
;						PDSBHR8Rqhk2LIxC )
;wildcard.fedoraproject.org. 11	IN	A	18.159.254.57
;wildcard.fedoraproject.org. 11	IN	A	209.132.190.2
;wildcard.fedoraproject.org. 11	IN	A	152.19.134.142
;wildcard.fedoraproject.org. 11	IN	A	185.141.165.254
;wildcard.fedoraproject.org. 11	IN	A	38.145.60.20
;wildcard.fedoraproject.org. 11	IN	A	38.145.60.21
;wildcard.fedoraproject.org. 11	IN	A	152.19.134.198
;wildcard.fedoraproject.org. 11	IN	A	18.133.140.134
;wildcard.fedoraproject.org. 11	IN	A	85.236.55.6
;wildcard.fedoraproject.org. 11	IN	A	18.192.40.85
;wildcard.fedoraproject.org. 11	IN	RRSIG	A 14 3 60 (
;						20220714213743 20220614213743 60624 fedoraproject.org.
;						LCANAH3B8ivNHzTk5Na4tT0h7FLW
;						3ZBmJhUa2lARg68nRvo1qvCGq4iD
;						q2t37zwqQiQtjR4VZj26db96nLgR
;						rC17DwdABmuysRxgRlCRjZ79H2d0
;						mQc+B9OzvyWm2lb5 )


;; validating apps.fedoraproject.org/CNAME: starting
;; validating apps.fedoraproject.org/CNAME: attempting positive response validation
;; fetch: fedoraproject.org/DNSKEY
;; received packet from 127.0.0.53#53
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  42745
;; flags: qr rd ra ad; QUESTION: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 65494
;; QUESTION SECTION:
;fedoraproject.org.		IN	DNSKEY

;; ANSWER SECTION:
;fedoraproject.org.	34	IN	DNSKEY	257 3 14 (
;						7ttmhus8JD56ybsvMVZVsXa3U2R+
;						2+WmOPIP7BU6t2LicosMZ2Ju3pfv
;						ijsa5LvBvVCB4xVtLSqEdLSvW4vJ
;						PLSAB2uyJwHPJMezh0SzGmVCImLU
;						6qDxsxjHqtZ76/Sf
;						) ; KSK; alg = ECDSAP384SHA384 ; key id = 58125
;fedoraproject.org.	34	IN	DNSKEY	256 3 14 (
;						04ZsDOgyzs3kJsJ4jEY3MYufkCOW
;						m1OI8N4M+dlBOBmweln0TSaKfafH
;						zNCkaPiVG4bdgdnrzwxmjpK5GQgs
;						iB47np+I8850Ea3EJG5ORDl3f//l
;						rr92HiYh5DxCNhkG
;						) ; ZSK; alg = ECDSAP384SHA384 ; key id = 60624
;fedoraproject.org.	34	IN	RRSIG	DNSKEY 14 2 300 (
;						20220714213743 20220614213743 58125 fedoraproject.org.
;						cN04NlwlTztSaPJvTyg2uZ1f9tEw
;						Nuks+/ROevF/l7wW5x203yj03+ZC
;						TxHnMN38bZUUUvt9IiHr5+KBnBXf
;						sRs1GoKaiH5x4+UaqsFTjd+rVXVg
;						wvPMpNTuvbU9Nitz )


;; validating fedoraproject.org/DNSKEY: starting
;; validating fedoraproject.org/DNSKEY: attempting positive response validation
;; fetch: fedoraproject.org/DS
;; received packet from 127.0.0.53#53
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  26752
;; flags: qr rd ra ad; QUESTION: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 65494
;; QUESTION SECTION:
;fedoraproject.org.		IN	DS

;; ANSWER SECTION:
;fedoraproject.org.	2348	IN	DS	58125 14 2 (
;						FCC70DB7608C9837F060D6D92DF9
;						E53A22D1F830752B9E7038FC48EA
;						411DFF46 )
;fedoraproject.org.	2348	IN	RRSIG	DS 8 2 3600 (
;						20220630152826 20220609142826 41346 org.
;						LFIfRfTwS7eDBUw9CCIQoj1ObMz2
;						oOKT4Zc9NQqNZowzHhbyYPU0Ez1k
;						7q2S7kvdkHfXhPN4xM0rOF+9geXH
;						/tT7PsVHU9oVba73ay4BlykCOMSe
;						BScmvXRUbUsj5Y/htJNZ47QKpJ4i
;						DhcJZpydkiHQSnqhaWg9mkse1DUo
;						tnY= )


;; validating fedoraproject.org/DS: starting
;; validating fedoraproject.org/DS: attempting positive response validation
;; fetch: org/DNSKEY
;; received packet from 127.0.0.53#53
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id:  34962
;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;org.				IN	DNSKEY


;; validating fedoraproject.org/DS: in fetch_callback_dnskey
;; validating fedoraproject.org/DS: fetch_callback_dnskey: got SERVFAIL
;; broken trust chain resolving 'fedoraproject.org/DS/IN': 127.0.0.53#53
;; validating fedoraproject.org/DNSKEY: in fetch_callback_ds
;; validating fedoraproject.org/DNSKEY: fetch_callback_ds: got broken trust chain
;; broken trust chain resolving 'fedoraproject.org/DNSKEY/IN': 127.0.0.53#53
;; validating apps.fedoraproject.org/CNAME: in fetch_callback_dnskey
;; validating apps.fedoraproject.org/CNAME: fetch_callback_dnskey: got broken trust chain
;; broken trust chain resolving 'apps.fedoraproject.org/A/IN': 127.0.0.53#53
;; resolution failed: broken trust chain
$ resolvectl flush-caches                    
$ delv @9.9.9.9 apps.fedoraproject.org        
; fully validated
apps.fedoraproject.org.	300	IN	CNAME	wildcard.fedoraproject.org.
apps.fedoraproject.org.	300	IN	RRSIG	CNAME 14 3 300 20220714213743 20220614213743 60624 fedoraproject.org. zNLhPUHc58db7IjP6Lg4gx5ZJqCV5bb9hKrU1zYHlMScHOboEBDJhLkd rndKelQMhGpyCepyy9ZeuQWCSdESL5ZBjJ3QnDtOnleBHKhAML4yfAlm PDSBHR8Rqhk2LIxC
wildcard.fedoraproject.org. 60	IN	A	18.133.140.134
wildcard.fedoraproject.org. 60	IN	A	18.159.254.57
wildcard.fedoraproject.org. 60	IN	A	18.192.40.85
wildcard.fedoraproject.org. 60	IN	A	38.145.60.20
wildcard.fedoraproject.org. 60	IN	A	38.145.60.21
wildcard.fedoraproject.org. 60	IN	A	85.236.55.6
wildcard.fedoraproject.org. 60	IN	A	152.19.134.142
wildcard.fedoraproject.org. 60	IN	A	152.19.134.198
wildcard.fedoraproject.org. 60	IN	A	185.141.165.254
wildcard.fedoraproject.org. 60	IN	A	209.132.190.2
wildcard.fedoraproject.org. 60	IN	RRSIG	A 14 3 60 20220714213743 20220614213743 60624 fedoraproject.org. LCANAH3B8ivNHzTk5Na4tT0h7FLW3ZBmJhUa2lARg68nRvo1qvCGq4iD q2t37zwqQiQtjR4VZj26db96nLgRrC17DwdABmuysRxgRlCRjZ79H2d0 mQc+B9OzvyWm2lb5

@Tachi107 Tachi107 mentioned this pull request Jun 27, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@keszybz keszybz keszybz left review comments

Assignees

No one assigned

Labels

resolve

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

resolved: DNSSEC stub validation broken (again)

6 participants

@yuwata @mrc0mmand @pemensik @Tachi107 @bluca @keszybz