Open wildnothing opened 2 years ago
I think I need a domain where this can be reduced.
I think I need a domain where this can be reduced.
SRV: _bsvalias._tcp.relica.world (points to user.relica.world) SRV: _bsvalias._tcp.dev.relica.world (points to user.dev.relica.world)
Both relica.world and dev.relica.world have DNSSEC switched on.
Works here
~/repos/minidns $ ./repl
Compiling and computing classpath (May take a while)
Classpath computed, starting REPL
Loading...
Compiling /home/flo/data/repos/minidns/minidns-repl/scala.repl
MiniDNS REPL
…
Set value 'dr' to DnssecResolverApi
flo-minidns@ dr.resolveSrv("_bsvalias._tcp.relica.world")
res0: hla.SrvResolverResult = org.minidns.hla.SrvResolverResult
Question: _bsvalias._tcp.relica.world. IN SRV
Response Code: NO_ERROR
Results verified via DNSSEC
[_bsvalias._tcp.relica.world. 3599 IN SRV 10 10 443 user.relica.world., _bsvalias._tcp.relica.world. 3599 IN RRSIG SRV ECDSAP256SHA256 4 3600 20220210154826 20220210124826 48205 relica.world. wve24Lj9zzAAZErf+WUVnYl6Es4MmHhyLKwAK8m4njAh8x9Uv3Y2XMaPMTUObYawEmgPkd7TzUD69SR/8ycwrw==]
If you need further support, then you may want to consider reaching out to me for professional support.
Works here
~/repos/minidns $ ./repl Compiling and computing classpath (May take a while) Classpath computed, starting REPL Loading... Compiling /home/flo/data/repos/minidns/minidns-repl/scala.repl MiniDNS REPL … Set value 'dr' to DnssecResolverApi flo-minidns@ dr.resolveSrv("_bsvalias._tcp.relica.world") res0: hla.SrvResolverResult = org.minidns.hla.SrvResolverResult Question: _bsvalias._tcp.relica.world. IN SRV Response Code: NO_ERROR Results verified via DNSSEC [_bsvalias._tcp.relica.world. 3599 IN SRV 10 10 443 user.relica.world., _bsvalias._tcp.relica.world. 3599 IN RRSIG SRV ECDSAP256SHA256 4 3600 20220210154826 20220210124826 48205 relica.world. wve24Lj9zzAAZErf+WUVnYl6Es4MmHhyLKwAK8m4njAh8x9Uv3Y2XMaPMTUObYawEmgPkd7TzUD69SR/8ycwrw==]
If you need further support, then you may want to consider reaching out to me for professional support.
Using the following java code result.isAuthenticData() is always false though
SrvResolverResult result =
DnssecResolverApi.INSTANCE.resolveSrv(DnsName.from(
"_bsvalias._tcp.relica.world"
));
// always false
result.isAuthenticData()
unverifiedReasons: No signatures were attached to answer on question for SRV at _bsvalias._tcp.relica.world
implementation 'org.minidns:minidns-hla:1.0.2'
Is there another way we should verify that DNSSEC is on programmatically?
We've enabled DNSSEC via Route 53 on two of our domains. One is the parent domain "parent.com", the other is a subdomain "child.parent.com".
isAuthenticData() fails for both of these domains because both SRV records point to "service.parent.com" and "service.child.parent.com" respectively.
Online DNSSEC tests validate both of the service domains but minidns does not seem to.