DNSSEC Issues

[nin9s]

Hi there,

is there any known bug concerning dnscrypt-proxy2.0.2 in combination with pihole and dnssec? In 90% of the requests going out there is a valid response but sometimes I'm getting "SERVFAIL" oder "BADCONFIG". In that case I have to refresh/resend the query and it will successfully resolve eventually.

Why is it failing for a domain and not failing if I retry to resolve the domain?

Thanks for pointing my in the right direction.

[jedisct1]

Make sure that you chose servers that do support DNSSEC :)

There is also a require_dnssec filter to enforce this.

[nin9s]

thanks @jedisct1 I had already forced dnssec servers. If I check it here: https://dnssec.vs.uni-due.de/ it seems to work properly - anyway there are domains from time to time which are not resolvable the first time so the clients initially gets a timeout ...

[jedisct1]

The proxy itself never synthesizes SERVFAIL responses. It returns whatever it got from upstream resolvers. So if you get a response, even with a SERVFAIL code, it means that the proxy worked :)

Try to identify what resolvers are unreliable, maybe we can tell whoever operates them about this.

[nin9s]

one example where I had problems is d0wn-fr-ns1 with dnssec enabled. Do you use dnssec in general? Is there a known working server which I can try?

To get absolutely sure: Am I correct that I dont have to enable dnssec on the pihole (dnsmasq) itself?!

[jedisct1]

Yes, just noticed that quite a few d0wn servers seem to exhibit this behavior. They have been temporarily removed from my lists.

dnscrypt-proxy itself has no problems with DNSSEC.

I don't use Pi-hole, but I remember messages about its dnsmasq version being too old to work properly with dnssec.

Anyway, try any other servers, not the d0wn ones :)

[jedisct1]

To prevent this from happening again, this change https://github.com/jedisct1/dnscrypt-proxy/commit/4ec5461b2f78c35dbe4fa339000be3794ee6e3ac will also stop sending queries to servers that respond quickly, but response with SERVFAIL responses.

[nin9s]

I don't use Pi-hole, but I remember messages about its dnsmasq version being too old to work properly with dnssec.

My question was more in context to the actual logic. As far as I understand we dont need dnssec validated responses from dnscrypt-proxy 127.0.0.2 to pihole dnsmasq 127.0.0.1 - is that correct?

Thanks for reacting so quickly @jedisct1

[jedisct1]

If you are running your own resolver, it would be useless. If you are using public resolvers, having dnsmasq validate DNSSEC signatures locally is not necessary, but wouldn't be a bad thing.

[nin9s]

dnsmasq and dnscrypt-proxy in my case are both only forwarders. They forward everything except the internal zone to public resolvers. So my assumption was that the dnssec validation only needs to be present between dnscrypt-proxy and the actual public resolver but not between the local dnsmasq and the local dnscrypt-proxy

[jedisct1]

dnscrypt-proxy doesn't validate dnssec signatures yet :)

[nin9s]

it doesnt? so how is it working then? https://dnssec.vs.uni-due.de/ tells me "Yes, your DNS resolver validates DNSSEC signatures." even if I dont enable dnssec on pihole/dnsmasq. If dnscrypt isnt verifying the sigs, who is?

[jedisct1]

The server you are connected to.