search

MiniDNS / minidns

DNS library for Android and Java SE
Other
220 stars 61 forks source link

DNSSEC is enabled on our domains but result.isAuthenticData() always returns false #126

Open wildnothing opened 2 years ago

wildnothing commented 2 years ago

We've enabled DNSSEC via Route 53 on two of our domains. One is the parent domain "parent.com", the other is a subdomain "child.parent.com".

isAuthenticData() fails for both of these domains because both SRV records point to "service.parent.com" and "service.child.parent.com" respectively.

Online DNSSEC tests validate both of the service domains but minidns does not seem to.

Flowdalic commented 2 years ago

I think I need a domain where this can be reduced.

wildnothing commented 2 years ago

I think I need a domain where this can be reduced.

SRV: _bsvalias._tcp.relica.world (points to user.relica.world) SRV: _bsvalias._tcp.dev.relica.world (points to user.dev.relica.world)

Both relica.world and dev.relica.world have DNSSEC switched on.

Flowdalic commented 2 years ago

Works here

~/repos/minidns $ ./repl
Compiling and computing classpath (May take a while)
Classpath computed, starting REPL
Loading...
Compiling /home/flo/data/repos/minidns/minidns-repl/scala.repl
MiniDNS REPL
…
Set value 'dr' to DnssecResolverApi
flo-minidns@ dr.resolveSrv("_bsvalias._tcp.relica.world")  
res0: hla.SrvResolverResult = org.minidns.hla.SrvResolverResult
Question: _bsvalias._tcp.relica.world.  IN  SRV
Response Code: NO_ERROR
Results verified via DNSSEC
[_bsvalias._tcp.relica.world.   3599    IN  SRV 10 10 443 user.relica.world., _bsvalias._tcp.relica.world.  3599    IN  RRSIG   SRV ECDSAP256SHA256 4 3600 20220210154826 20220210124826 48205 relica.world. wve24Lj9zzAAZErf+WUVnYl6Es4MmHhyLKwAK8m4njAh8x9Uv3Y2XMaPMTUObYawEmgPkd7TzUD69SR/8ycwrw==]

If you need further support, then you may want to consider reaching out to me for professional support.

wildnothing commented 2 years ago

Works here

~/repos/minidns $ ./repl
Compiling and computing classpath (May take a while)
Classpath computed, starting REPL
Loading...
Compiling /home/flo/data/repos/minidns/minidns-repl/scala.repl
MiniDNS REPL
…
Set value 'dr' to DnssecResolverApi
flo-minidns@ dr.resolveSrv("_bsvalias._tcp.relica.world")  
res0: hla.SrvResolverResult = org.minidns.hla.SrvResolverResult
Question: _bsvalias._tcp.relica.world.    IN  SRV
Response Code: NO_ERROR
Results verified via DNSSEC
[_bsvalias._tcp.relica.world. 3599    IN  SRV 10 10 443 user.relica.world., _bsvalias._tcp.relica.world.  3599    IN  RRSIG   SRV ECDSAP256SHA256 4 3600 20220210154826 20220210124826 48205 relica.world. wve24Lj9zzAAZErf+WUVnYl6Es4MmHhyLKwAK8m4njAh8x9Uv3Y2XMaPMTUObYawEmgPkd7TzUD69SR/8ycwrw==]

If you need further support, then you may want to consider reaching out to me for professional support.

Using the following java code result.isAuthenticData() is always false though

            SrvResolverResult result =
                    DnssecResolverApi.INSTANCE.resolveSrv(DnsName.from(
                            "_bsvalias._tcp.relica.world"
                    ));

            // always false
            result.isAuthenticData()

unverifiedReasons: No signatures were attached to answer on question for SRV at _bsvalias._tcp.relica.world implementation 'org.minidns:minidns-hla:1.0.2' Is there another way we should verify that DNSSEC is on programmatically?