Closed M66B closed 3 months ago
Can confirm (hey Marcel).
You can test the DS with my domain, ksol.io: https://dnsviz.net/d/mail.ksol.io/dnssec/
Should be an easy fix. Does anyone want to prepare a PR? Otherwise, I'll give it a shot, although I can not tell when I'll find the spare time to do it.
@Flowdalic I can do a pull request, but to prevent we are going to work around another problem, can you confirm that this is correct:
ds.digestType = SHA-384
The constant is defined here: https://github.com/MiniDNS/minidns/blob/master/minidns-core/src/main/java/org/minidns/constants/DnssecConstants.java#L80
Also SHA-384 is Optional, not Mandatory: https://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml
So if not supported by the platform AlgorithmMap.java should log an error, not throw an exception.
@Flowdalic I can do a pull request, but to prevent we are going to work around another problem, can you confirm that this is correct:
ds.digestType = SHA-384
I am not sure if I understand the question. In any case, I think it should be more like ds.digestType = DigestType.SHA384
.
So if not supported by the platform AlgorithmMap.java should log an error, not throw an exception.
That's almost right: It should log a message with a log level of FINE, not log an error. Since the digest algorithm is only optional, not mandatory, nothing should break and therefore there is no reason to alarm the user with an error message.
@Flowdalic the question was more if SHA-384 correct or that it must be ECDSAP384SHA384.
You can test the DS with my domain, ksol.io: https://dnsviz.net/d/mail.ksol.io/dnssec/
This works now, see following output of a MiniDNS REPL session. But please note that you should setup DNSSEC on your domain so that it can also be resolved by only supporting the mandatory algorithms.
$ run-with-java 11 ./repl
Set Java to openjdk-11
JAVA_HOME=/usr/lib/jvm/openjdk-11
PATH=/usr/lib/jvm/openjdk-11/bin:/usr/lib/pkgcore/shell/bin:/home/flo/.local/share/coursier/bin:/home/flo/go/bin:/home/flo/.local/bin:/home/flo/bin/:/usr/local/sbin:/usr/local/bin:/usr/bin:/opt/bin:/usr/lib/llvm/18/bin:/usr/lib/llvm/17/bin:/usr/lib/llvm/16/bin:/etc/eselect/wine/bin:/home/flo/.config/shell/bin/gentoo/:/home/flo/.config/shell/bin_deps/adb/:/home/flo/.config/shell/bin_deps/bitcoin-qt/:/home/flo/.config/shell/bin_deps/git/:/home/flo/.config/shell/bin_deps/gpg/
Executing ./repl
Compiling and computing classpath (May take a while)
Classpath computed, starting REPL
Loading...
MiniDNS REPL
Set value 'c' to DNSClient
Set value 'ic' to IterativeDnsClient
Set value 'dc' to DnssecClient
Set value 'r' to ResolverApi
Set value 'dr' to DnssecResolverApi
Enjoy MiniDNS. Go ahead and try a query. For example:
c query ("geekplace.eu", TYPE.A)
dr resolveDnssecReliable ("verteiltesysteme.net", classOf[A])
NOTE: You can enable debug log output by calling 'debugLog'
Welcome to the Ammonite Repl 1.1.2
(Scala 2.12.4 Java 11.0.23)
If you like Ammonite, please support our development at www.patreon.com/lihaoyi
@ debugLog
@ dc queryDnssec ("ksol.io", TYPE.A)
Jun 19, 2024 10:45:01 AM org.minidns.DnsClient findDNS
FINE: DnsServerLookupMechanism UnixUsingEtcResolvConf returned the following DNS servers: 127.0.0.53
Jun 19, 2024 10:45:01 AM org.minidns.AbstractDnsClient query
FINE: Asking /127.0.0.53 on 53 for ksol.io. IN A with:
DnsMessage(1579 QUERY NO_ERROR query[qr=0] rd cd)
[Q: ksol.io. IN A]
[X: EDNS: version: 0, flags: do; udp: 1024]
Jun 19, 2024 10:45:02 AM org.minidns.AbstractDnsClient query
FINE: Response from /127.0.0.53 on 53 for ksol.io. IN A:
DnsMessage(1579 QUERY NO_ERROR resp[qr=1] rd ra ad cd)
[Q: ksol.io. IN A]
[A: ksol.io. 3599 IN A 116.202.208.157]
[A: ksol.io. 3599 IN RRSIG A ECDSAP256SHA256 2 3600 20240628064105 20240614061034 29316 ksol.io. J6r55XWAt7D37zriDNAoC61Txlbr4uWN1yz7KaEbt0hzzOJ7z9VXu4rf2ddIpzNCl8rBvMdnAqa+P34phrsxEg==]
[X: EDNS: version: 0, flags: do; udp: 65494]
Jun 19, 2024 10:45:02 AM org.minidns.DnsClient findDNS
FINE: DnsServerLookupMechanism UnixUsingEtcResolvConf returned the following DNS servers: 127.0.0.53
Jun 19, 2024 10:45:02 AM org.minidns.AbstractDnsClient query
FINE: Asking /127.0.0.53 on 53 for ksol.io. IN DNSKEY with:
DnsMessage(45472 QUERY NO_ERROR query[qr=0] rd cd)
[Q: ksol.io. IN DNSKEY]
[X: EDNS: version: 0, flags: do; udp: 1024]
Jun 19, 2024 10:45:02 AM org.minidns.AbstractDnsClient query
FINE: Response from /127.0.0.53 on 53 for ksol.io. IN DNSKEY:
DnsMessage(45472 QUERY NO_ERROR resp[qr=1] rd ra cd)
[Q: ksol.io. IN DNSKEY]
[A: ksol.io. 3599 IN DNSKEY 256 3 ECDSAP256SHA256 eZoCtc6bZum/ClU+MIeiGsmtDIioOm+1DmS4F+O6Us9iTq3/SfSkZnmkqsi11hKF95ArSr4ohDdAZgZF8sdgaw==]
[A: ksol.io. 3599 IN DNSKEY 257 3 ECDSAP256SHA256 JtLNH7rFA7y/B8vNGUZNZfKl5SWnMPC/5Hk8G8ehYJvZTyq/L4eQ9fDRbdEtckiiPX5qlmXxgcoiPBrv5+qJYQ==]
[A: ksol.io. 3599 IN RRSIG DNSKEY ECDSAP256SHA256 2 3600 20240701171204 20240617170611 14365 ksol.io. 5SiXpe9JmL5cRDxYf0k1q3HIeLKjlAaG+9KDdBD69iZo+efCiYo4BGjbDNMBtdVV1x7t8PyvDMF61haVNGlyiA==]
[X: EDNS: version: 0, flags: do; udp: 65494]
Jun 19, 2024 10:45:02 AM org.minidns.dnssec.algorithms.AlgorithmMap <init>
FINE: Platform does not support GOST R 34.10-2001
java.security.NoSuchAlgorithmException: ECGOST3410 KeyFactory not available
at java.base/java.security.KeyFactory.<init>(KeyFactory.java:138)
at java.base/java.security.KeyFactory.getInstance(KeyFactory.java:183)
at org.minidns.dnssec.algorithms.JavaSecSignatureVerifier.<init>(JavaSecSignatureVerifier.java:32)
at org.minidns.dnssec.algorithms.EcgostSignatureVerifier.<init>(EcgostSignatureVerifier.java:44)
at org.minidns.dnssec.algorithms.AlgorithmMap.<init>(AlgorithmMap.java:92)
at org.minidns.dnssec.algorithms.AlgorithmMap.<clinit>(AlgorithmMap.java:29)
at org.minidns.dnssec.Verifier.<clinit>(Verifier.java:39)
at org.minidns.dnssec.DnssecClient.verifySignedRecords(DnssecClient.java:396)
at org.minidns.dnssec.DnssecClient.verifySignatures(DnssecClient.java:321)
at org.minidns.dnssec.DnssecClient.verifyAnswer(DnssecClient.java:159)
at org.minidns.dnssec.DnssecClient.verify(DnssecClient.java:149)
at org.minidns.dnssec.DnssecClient.performVerification(DnssecClient.java:115)
at org.minidns.dnssec.DnssecClient.queryDnssec(DnssecClient.java:105)
at org.minidns.dnssec.DnssecClient.queryDnssec(DnssecClient.java:100)
at org.minidns.dnssec.DnssecClient.verifySignedRecords(DnssecClient.java:381)
at org.minidns.dnssec.DnssecClient.verifySignatures(DnssecClient.java:321)
at org.minidns.dnssec.DnssecClient.verifyAnswer(DnssecClient.java:159)
at org.minidns.dnssec.DnssecClient.verify(DnssecClient.java:149)
at org.minidns.dnssec.DnssecClient.performVerification(DnssecClient.java:115)
at org.minidns.dnssec.DnssecClient.queryDnssec(DnssecClient.java:105)
at org.minidns.dnssec.DnssecClient.queryDnssec(DnssecClient.java:100)
at ammonite.$sess.cmd1$.<init>(cmd1.sc:1)
at ammonite.$sess.cmd1$.<clinit>(cmd1.sc)
at ammonite.$sess.cmd1.$main(cmd1.sc)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at ammonite.runtime.Evaluator$$anon$1.$anonfun$evalMain$1(Evaluator.scala:113)
at ammonite.util.Util$.withContextClassloader(Util.scala:16)
at ammonite.runtime.Evaluator$$anon$1.evalMain(Evaluator.scala:95)
at ammonite.runtime.Evaluator$$anon$1.$anonfun$processLine$2(Evaluator.scala:132)
at ammonite.util.Catching.map(Res.scala:116)
at ammonite.runtime.Evaluator$$anon$1.$anonfun$processLine$1(Evaluator.scala:126)
at ammonite.util.Res$Success.flatMap(Res.scala:61)
at ammonite.runtime.Evaluator$$anon$1.processLine(Evaluator.scala:125)
at ammonite.interp.Interpreter.$anonfun$evaluateLine$3(Interpreter.scala:275)
at ammonite.util.Res$Success.flatMap(Res.scala:61)
at ammonite.interp.Interpreter.$anonfun$evaluateLine$1(Interpreter.scala:261)
at ammonite.util.Catching.flatMap(Res.scala:114)
at ammonite.interp.Interpreter.evaluateLine(Interpreter.scala:260)
at ammonite.interp.Interpreter.$anonfun$processLine$5(Interpreter.scala:247)
at ammonite.util.Res$Success.flatMap(Res.scala:61)
at ammonite.interp.Interpreter.$anonfun$processLine$3(Interpreter.scala:231)
at ammonite.util.Res$Success.flatMap(Res.scala:61)
at ammonite.interp.Interpreter.$anonfun$processLine$1(Interpreter.scala:224)
at ammonite.util.Catching.flatMap(Res.scala:114)
at ammonite.interp.Interpreter.processLine(Interpreter.scala:223)
at ammonite.repl.Repl.$anonfun$action$7(Repl.scala:175)
at ammonite.repl.Scoped.$anonfun$flatMap$1(Signaller.scala:44)
at ammonite.repl.Signaller.apply(Signaller.scala:28)
at ammonite.repl.Scoped.flatMap(Signaller.scala:44)
at ammonite.repl.Scoped.flatMap$(Signaller.scala:44)
at ammonite.repl.Signaller.flatMap(Signaller.scala:16)
at ammonite.repl.Repl.$anonfun$action$5(Repl.scala:167)
at ammonite.util.Res$Success.flatMap(Res.scala:61)
at ammonite.repl.Repl.$anonfun$action$1(Repl.scala:154)
at ammonite.util.Catching.flatMap(Res.scala:114)
at ammonite.repl.Repl.action(Repl.scala:146)
at ammonite.repl.Repl.loop$1(Repl.scala:186)
at ammonite.repl.Repl.run(Repl.scala:202)
at ammonite.Main.$anonfun$run$2(Main.scala:201)
at scala.Option.getOrElse(Option.scala:121)
at ammonite.Main.run(Main.scala:188)
at ammonite.MainRunner.$anonfun$runRepl$1(Main.scala:370)
at ammonite.MainRunner.watchLoop(Main.scala:351)
at ammonite.MainRunner.runRepl(Main.scala:370)
at ammonite.Main$.main0(Main.scala:287)
at ammonite.Main$.main(Main.scala:251)
at ammonite.Main.main(Main.scala)
Jun 19, 2024 10:45:02 AM org.minidns.DnsClient findDNS
FINE: DnsServerLookupMechanism UnixUsingEtcResolvConf returned the following DNS servers: 127.0.0.53
Jun 19, 2024 10:45:02 AM org.minidns.AbstractDnsClient query
FINE: Asking /127.0.0.53 on 53 for ksol.io. IN DS with:
DnsMessage(23103 QUERY NO_ERROR query[qr=0] rd cd)
[Q: ksol.io. IN DS]
[X: EDNS: version: 0, flags: do; udp: 1024]
Jun 19, 2024 10:45:02 AM org.minidns.AbstractDnsClient query
FINE: Response from /127.0.0.53 on 53 for ksol.io. IN DS:
DnsMessage(23103 QUERY NO_ERROR resp[qr=1] rd ra ad cd)
[Q: ksol.io. IN DS]
[A: ksol.io. 3599 IN DS 14365 ECDSAP256SHA256 SHA384 394D6477E6A8FDFC0BC318E8FB1209000D285739153EF0E1CC899BEE7E2F00AD74DC1BC228F646AD0B8B652A7656D3DD]
[A: ksol.io. 3599 IN RRSIG DS RSASHA256 2 3600 20240708155515 20240617145515 12723 io. OnbnhN3CCyx9F9LC4XXPiLBrcyiJxgTJ35HkRN4lwBxATIjwP6JEZC+yFZ/A3k9x26q3dF/2Oz24vZM9oXPyZW7XwPhGh6Zsj+EyG9Z5UnF04CP+KAI94RkDKFOEnI9AyKwOAHTOQ9yzKD0BfY+o0WTsM5khReEx9aCp0A1REwY=]
[X: EDNS: version: 0, flags: do; udp: 65494]
Jun 19, 2024 10:45:02 AM org.minidns.DnsClient findDNS
FINE: DnsServerLookupMechanism UnixUsingEtcResolvConf returned the following DNS servers: 127.0.0.53
Jun 19, 2024 10:45:02 AM org.minidns.AbstractDnsClient query
FINE: Asking /127.0.0.53 on 53 for io. IN DNSKEY with:
DnsMessage(50745 QUERY NO_ERROR query[qr=0] rd cd)
[Q: io. IN DNSKEY]
[X: EDNS: version: 0, flags: do; udp: 1024]
Jun 19, 2024 10:45:02 AM org.minidns.AbstractDnsClient query
FINE: Response from /127.0.0.53 on 53 for io. IN DNSKEY:
DnsMessage(50745 QUERY REFUSED resp[qr=1] aa rd ra cd)
[Q: io. IN DNSKEY]
[X: EDNS: version: 0, flags: do; udp: 65494]
Jun 19, 2024 10:45:02 AM org.minidns.DnsClient query
WARNING: Response from /127.0.0.53 asked for io. IN DNSKEY with error code: REFUSED.
Jun 19, 2024 10:45:02 AM org.minidns.DnsClient query
WARNING: Response from /127.0.0.53 asked for io. IN DNSKEY with error code: REFUSED.
Jun 19, 2024 10:45:02 AM org.minidns.AbstractDnsClient query
FINE: Asking /8.8.8.8 on 53 for io. IN DNSKEY with:
DnsMessage(50745 QUERY NO_ERROR query[qr=0] rd cd)
[Q: io. IN DNSKEY]
[X: EDNS: version: 0, flags: do; udp: 1024]
Jun 19, 2024 10:45:02 AM org.minidns.AbstractDnsClient query
FINE: Response from /8.8.8.8 on 53 for io. IN DNSKEY:
DnsMessage(50745 QUERY NO_ERROR resp[qr=1] rd ra ad cd)
[Q: io. IN DNSKEY]
[A: io. 3252 IN DNSKEY 257 3 RSASHA256 AwEAAdgV7ipvizPjJNDZ1O5Ea7hmp+qelixmzCqWbwPH00VOKvlEcWfM/PKGLt+Phj9jVJqDytWIm7Ff7+fUaRMPzMuUW2Z7ViLitxH4iNtKtwU+DMzdGpzRMXFAF1WdbxCF5lWoK0MHsIR5oD9VkwopkttyGnKjYhTDNObYHg8Mi5E9j0FjU4OEpKw6NbZduVKp2pRBBejm/8WKq0O1PukchMa6TQIJlYNsJZNzD1QLcKZWEup+fTvqzAWiK2Su6rlDC7rgwe6OjhrT2ejqlORp3h5S4WJGi3haUczvA/O5GYjhGmXxp5CJ01RJSYG0BsbY1tpEX+9Y4+GhS/nf8Qo0iDc=]
[A: io. 3252 IN DNSKEY 256 3 RSASHA256 AwEAAZSk5aaoE7PtV0kTMmsgFvGthxpoOeGyZw0YIq1W3InR6mBuJBOaYNOILyWsTBU6BO+q7oDqzVdHk5hcETn1h2hq7RP/770KPt0t/0sniDd/Yavvs6zHKQofpRV3YcIUOngWpvZ2Z55xIbzU8H8FdW+igCMwQgiSRfbc8aWnmEDv]
[A: io. 3252 IN DNSKEY 256 3 RSASHA256 AwEAAaLASRPiGmFtDEPgozcCgfQBXnMY76WdF3wSKZztCUNjTuTWT6GgK9DrSOfBr6MvemMczIhwoH1v4gv4sPpzeDCzOilZHGB+PP8Z/z2POL3iXi0OXfxBdxOsceZuIvKK1TsZxvQsjtZ0h4wjY/A1zlz7KOw+Q5nANbKR7XV7oBWd]
[A: io. 3252 IN RRSIG DNSKEY RSASHA256 1 3600 20240708155515 20240617145515 57355 io. OXkPP5+STqcOMESrQUZ6GpKzlURXJddP7Qxoy+5jFqWaDoyFYHOI7gIoA7XR/hgGomcPAG19Hz07alvj4jEza3zigS1LBVfJ1E9NT1XR3V7M7GccnFgz46lNHYmvBIMi4JDgEB9gJcKn+efTnKVTn32k7rB7R4adJ1Mg7ip9vAJP6osnU2RIZCVozwHhBMTfIizUZVjlMWyJ+/hDhtWsv1ijlQf6LHfXQj12owYl0cVzGMVNWBhxnV5F89ZVGBbcNWqcHHcgqNVA85Dn3ykb9+AelAC+cUC4NMhwPp86l8i7LEOfGfFQwh09f/nurn+kb0cUQ7QPEE91kmZOIpC0Dw==]
[X: EDNS: version: 0, flags: do; udp: 512]
Jun 19, 2024 10:45:02 AM org.minidns.DnsClient findDNS
FINE: DnsServerLookupMechanism UnixUsingEtcResolvConf returned the following DNS servers: 127.0.0.53
Jun 19, 2024 10:45:02 AM org.minidns.AbstractDnsClient query
FINE: Asking /127.0.0.53 on 53 for io. IN DS with:
DnsMessage(4990 QUERY NO_ERROR query[qr=0] rd cd)
[Q: io. IN DS]
[X: EDNS: version: 0, flags: do; udp: 1024]
Jun 19, 2024 10:45:02 AM org.minidns.AbstractDnsClient query
FINE: Response from /127.0.0.53 on 53 for io. IN DS:
DnsMessage(4990 QUERY REFUSED resp[qr=1] aa rd ra cd)
[Q: io. IN DS]
[X: EDNS: version: 0, flags: do; udp: 65494]
Jun 19, 2024 10:45:02 AM org.minidns.DnsClient query
WARNING: Response from /127.0.0.53 asked for io. IN DS with error code: REFUSED.
Jun 19, 2024 10:45:02 AM org.minidns.DnsClient query
WARNING: Response from /127.0.0.53 asked for io. IN DS with error code: REFUSED.
Jun 19, 2024 10:45:02 AM org.minidns.AbstractDnsClient query
FINE: Asking /8.8.8.8 on 53 for io. IN DS with:
DnsMessage(4990 QUERY NO_ERROR query[qr=0] rd cd)
[Q: io. IN DS]
[X: EDNS: version: 0, flags: do; udp: 1024]
Jun 19, 2024 10:45:02 AM org.minidns.AbstractDnsClient query
FINE: Response from /8.8.8.8 on 53 for io. IN DS:
DnsMessage(4990 QUERY NO_ERROR resp[qr=1] rd ra ad cd)
[Q: io. IN DS]
[A: io. 59874 IN DS 57355 RSASHA256 SHA256 95A57C3BAB7849DBCDDF7C72ADA71A88146B141110318CA5BE672057E865C3E2]
[A: io. 59874 IN RRSIG DS RSASHA256 1 86400 20240701170000 20240618160000 5613 .. Au5FBw/Nd3nEjRl2fAoyGHOTnEzBB+Z+HWXa0+JYsEEMxrdiUGfx9ogZVStR+TCnCd27XVDRYoU7O2znFU0bTXxIBqlFUboDxL9lQSeBCxE9AnCO7ymCYIz5F+Lks/geuvR6EpUVp89a6BchowJwQSQOhzZM4TuOrV3QhyjKK9WJMgltDKfeZZ1gSZj4cVB93qP8L9mpdx1WQWF2TtuaF5Hyzdeqjfk/oWw4cZTCS3d15VWt2Wu9YPmU0QLK2wI4BsRhR5M0Fqdz108i7ThocdM85nV2n9//uv2OiUb6WpwyKswd7SBlB8EBtL0SwGvmi5nszp4vvMSyjVzeHQAfUw==]
[X: EDNS: version: 0, flags: do; udp: 512]
Jun 19, 2024 10:45:02 AM org.minidns.DnsClient findDNS
FINE: DnsServerLookupMechanism UnixUsingEtcResolvConf returned the following DNS servers: 127.0.0.53
Jun 19, 2024 10:45:02 AM org.minidns.AbstractDnsClient query
FINE: Asking /127.0.0.53 on 53 for .. IN DNSKEY with:
DnsMessage(12124 QUERY NO_ERROR query[qr=0] rd cd)
[Q: .. IN DNSKEY]
[X: EDNS: version: 0, flags: do; udp: 1024]
Jun 19, 2024 10:45:02 AM org.minidns.AbstractDnsClient query
FINE: Response from /127.0.0.53 on 53 for .. IN DNSKEY:
DnsMessage(12124 QUERY NO_ERROR resp[qr=1] rd ra ad cd)
[Q: .. IN DNSKEY]
[A: .. 47671 IN DNSKEY 256 3 RSASHA256 AwEAAZBALoOFImwcJJg9Iu7Vy7ZyLjhtXfvO1c9k4vHjOpf9i7U1kKtrBvhnwsOni1sb50gkUayRtMDTUQqvljMMf4bpkyEtcE5evCzhHbFLq1coL5QOix3mfJm++FvIMaAt52nOvAdqR/luuI11bA1AmSCIJKAUx147DcfOHYKg3as+dznn3Iah4cWBMVzDe7PPsFS1AO6gU8EpmiRJ9VMNA09fOyDuq9+d6sw8UUnJRMAFAuPLhUFjUAOuWOw74BC9lOtMQpbLMz8pX0CDKdOXDHjyj61nxSSWxPdUjeoxI17lQTpSPRtqRHFn5Fgj2e+9BVwhhWGDQN8kUVSJHZtQiI0=]
[A: .. 47671 IN DNSKEY 257 3 RSASHA256 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=]
[A: .. 47671 IN RRSIG DNSKEY RSASHA256 0 172800 20240701000000 20240610000000 20326 .. eMFu/6uu1WUYhDgMumLBzvIVpCIlm7RgN4bOWtddDAg001OtUzn89m12ox2FKAleQcPe1dhUAatL26w0qUeBB4ucXu8IB+azRu/EOwGZroZAubzp+vKAuUV48KqKdncw618tRJKtH+BDTHQQxdztd7GG8dtXnqE2V7NruCjf68dwOLiZTrPG3GVjyxiU0tb4JGyX6SXIViRSyGjH5OGMfx9wicHwLnBy29E7B4QwJ8PAhxe8TCMu+/2c5YzDV1k3XABj71L2Kh+zvukQ/lxB0eJHt0nc4rxcV8nyr7TOOIzpLyNlUhSDckK1XweyTIKzJrg8pI2gQXYiOnH0T3I8Cg==]
[X: EDNS: version: 0, flags: do; udp: 65494]
Jun 19, 2024 10:45:02 AM org.minidns.dnssec.DnssecClient verifySecureEntryPoint
FINE: There is no DS record for 'io', server gives empty result
Jun 19, 2024 10:45:02 AM org.minidns.dnssec.DnssecClient verifySecureEntryPoint
FINE: There is no DS record for 'io', server gives empty result
Jun 19, 2024 10:45:02 AM org.minidns.dnssec.DnssecClient verifySecureEntryPoint
FINE: There is no DS record for 'ksol.io', server gives empty result
Jun 19, 2024 10:45:02 AM org.minidns.dnssec.DnssecClient verifySecureEntryPoint
FINE: There is no DS record for 'io', server gives empty result
Jun 19, 2024 10:45:02 AM org.minidns.dnssec.DnssecClient verifySecureEntryPoint
FINE: There is no DS record for 'io', server gives empty result
res1: dnssec.DnssecQueryResult = org.minidns.dnssec.DnssecQueryResult@1fedf0a4
@ res1.is
isAuthenticData
@ res1.isA
isAuthenticData
@ res1.isAuthenticData
res2: Boolean = true
@ res1.getU
getUnverifiedReasons
@ res1.getUnverifiedReasons
res3: java.util.Set[dnssec.DnssecUnverifiedReason] = []
@Flowdalic can we get a snapshot build on maven with this?
@Flowdalic can we get a snapshot build on maven with this?
published
@Flowdalic which maven repo was used for this? I don't see an artefact here:
https://mvnrepository.com/artifact/org.minidns/minidns-hla
Or in other words, what are the maven coordinates?
@Flowdalic which maven repo was used for this?
Maven Central's snapshot repository: https://oss.sonatype.org/content/repositories/snapshots/org/minidns/
@karolyi you can download a preview/snapshot version of FairEmail via this link:
https://bitbucket.org/M66B/fairemail-test/downloads/
I'm not sure how stable/finished the MiniDNS alpha version is, so I'm not sure if this will be included in regular builds of the app. Perhaps @Flowdalic can comment on this.
In any case, there are more than a few changes since 1.0.5: https://github.com/MiniDNS/minidns/compare/1.0.5...master
@M66B it's kinda offtopic here but can confirm that the alpha works, and I can also turn on the "Enforce DNSSEC" checkbox.
Maybe it would be beneficial to test what happens upon a bad TLSA signature to test a negative, but I'm happy with the result as is.
Also, I'm wondering why a better (more secure) hashing algorithm is optional, and a less secure mandatory.
It only has the possibility to exploit security holes of lacking implementations, where they simply ignore checking the SHA384 hashes and assume the domain's DS record is valid, when a 'mandatory' record, such as the SHA256 is missing.
I've set up my domain with the intention of using the better hashing algo, just to realize it's optional.
Verification fails here:
https://github.com/MiniDNS/minidns/blob/master/minidns-dnssec/src/main/java/org/minidns/dnssec/Verifier.java#L45
Where ds.digestType = SHA-384, which seems to be missing here:
https://github.com/MiniDNS/minidns/blob/master/minidns-dnssec/src/main/java/org/minidns/dnssec/algorithms/AlgorithmMap.java#L50
The DNS record specifies ECDSAP384SHA384, though, so perhaps the digest type was derived incorrectly?