search

MiniDNS / minidns

DNS library for Android and Java SE
Other
220 stars 61 forks source link

Digest algorithm SHA-384 missing/invalid #139

Closed M66B closed 3 months ago

M66B commented 3 months ago

Verification fails here:

https://github.com/MiniDNS/minidns/blob/master/minidns-dnssec/src/main/java/org/minidns/dnssec/Verifier.java#L45

Where ds.digestType = SHA-384, which seems to be missing here:

https://github.com/MiniDNS/minidns/blob/master/minidns-dnssec/src/main/java/org/minidns/dnssec/algorithms/AlgorithmMap.java#L50

The DNS record specifies ECDSAP384SHA384, though, so perhaps the digest type was derived incorrectly?

karolyi commented 3 months ago

Can confirm (hey Marcel).

You can test the DS with my domain, ksol.io: https://dnsviz.net/d/mail.ksol.io/dnssec/

Flowdalic commented 3 months ago

Should be an easy fix. Does anyone want to prepare a PR? Otherwise, I'll give it a shot, although I can not tell when I'll find the spare time to do it.

M66B commented 3 months ago

@Flowdalic I can do a pull request, but to prevent we are going to work around another problem, can you confirm that this is correct:

ds.digestType = SHA-384
Delicates commented 3 months ago

The constant is defined here: https://github.com/MiniDNS/minidns/blob/master/minidns-core/src/main/java/org/minidns/constants/DnssecConstants.java#L80

Delicates commented 3 months ago

Also SHA-384 is Optional, not Mandatory: https://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml

So if not supported by the platform AlgorithmMap.java should log an error, not throw an exception.

Flowdalic commented 3 months ago

@Flowdalic I can do a pull request, but to prevent we are going to work around another problem, can you confirm that this is correct:

ds.digestType = SHA-384

I am not sure if I understand the question. In any case, I think it should be more like ds.digestType = DigestType.SHA384.

So if not supported by the platform AlgorithmMap.java should log an error, not throw an exception.

That's almost right: It should log a message with a log level of FINE, not log an error. Since the digest algorithm is only optional, not mandatory, nothing should break and therefore there is no reason to alarm the user with an error message.

M66B commented 3 months ago

@Flowdalic the question was more if SHA-384 correct or that it must be ECDSAP384SHA384.

Flowdalic commented 3 months ago

You can test the DS with my domain, ksol.io: https://dnsviz.net/d/mail.ksol.io/dnssec/

This works now, see following output of a MiniDNS REPL session. But please note that you should setup DNSSEC on your domain so that it can also be resolved by only supporting the mandatory algorithms.

$ run-with-java 11 ./repl
Set Java to openjdk-11
JAVA_HOME=/usr/lib/jvm/openjdk-11
PATH=/usr/lib/jvm/openjdk-11/bin:/usr/lib/pkgcore/shell/bin:/home/flo/.local/share/coursier/bin:/home/flo/go/bin:/home/flo/.local/bin:/home/flo/bin/:/usr/local/sbin:/usr/local/bin:/usr/bin:/opt/bin:/usr/lib/llvm/18/bin:/usr/lib/llvm/17/bin:/usr/lib/llvm/16/bin:/etc/eselect/wine/bin:/home/flo/.config/shell/bin/gentoo/:/home/flo/.config/shell/bin_deps/adb/:/home/flo/.config/shell/bin_deps/bitcoin-qt/:/home/flo/.config/shell/bin_deps/git/:/home/flo/.config/shell/bin_deps/gpg/
Executing ./repl
Compiling and computing classpath (May take a while)
Classpath computed, starting REPL
Loading...
MiniDNS REPL
Set value 'c' to DNSClient
Set value 'ic' to IterativeDnsClient
Set value 'dc' to DnssecClient
Set value 'r' to ResolverApi
Set value 'dr' to DnssecResolverApi
Enjoy MiniDNS. Go ahead and try a query. For example:
c query ("geekplace.eu", TYPE.A)
dr resolveDnssecReliable ("verteiltesysteme.net", classOf[A])
NOTE: You can enable debug log output by calling 'debugLog'
Welcome to the Ammonite Repl 1.1.2
(Scala 2.12.4 Java 11.0.23)
If you like Ammonite, please support our development at www.patreon.com/lihaoyi
@ debugLog 

@ dc queryDnssec ("ksol.io", TYPE.A) 
Jun 19, 2024 10:45:01 AM org.minidns.DnsClient findDNS
FINE: DnsServerLookupMechanism UnixUsingEtcResolvConf returned the following DNS servers: 127.0.0.53
Jun 19, 2024 10:45:01 AM org.minidns.AbstractDnsClient query
FINE: Asking /127.0.0.53 on 53 for ksol.io. IN  A with:
DnsMessage(1579 QUERY NO_ERROR query[qr=0] rd cd)
[Q: ksol.io.    IN  A]
[X: EDNS: version: 0, flags: do; udp: 1024]
Jun 19, 2024 10:45:02 AM org.minidns.AbstractDnsClient query
FINE: Response from /127.0.0.53 on 53 for ksol.io.  IN  A:
DnsMessage(1579 QUERY NO_ERROR resp[qr=1] rd ra ad cd)
[Q: ksol.io.    IN  A]
[A: ksol.io.    3599    IN  A   116.202.208.157]
[A: ksol.io.    3599    IN  RRSIG   A ECDSAP256SHA256 2 3600 20240628064105 20240614061034 29316 ksol.io. J6r55XWAt7D37zriDNAoC61Txlbr4uWN1yz7KaEbt0hzzOJ7z9VXu4rf2ddIpzNCl8rBvMdnAqa+P34phrsxEg==]
[X: EDNS: version: 0, flags: do; udp: 65494]
Jun 19, 2024 10:45:02 AM org.minidns.DnsClient findDNS
FINE: DnsServerLookupMechanism UnixUsingEtcResolvConf returned the following DNS servers: 127.0.0.53
Jun 19, 2024 10:45:02 AM org.minidns.AbstractDnsClient query
FINE: Asking /127.0.0.53 on 53 for ksol.io. IN  DNSKEY with:
DnsMessage(45472 QUERY NO_ERROR query[qr=0] rd cd)
[Q: ksol.io.    IN  DNSKEY]
[X: EDNS: version: 0, flags: do; udp: 1024]
Jun 19, 2024 10:45:02 AM org.minidns.AbstractDnsClient query
FINE: Response from /127.0.0.53 on 53 for ksol.io.  IN  DNSKEY:
DnsMessage(45472 QUERY NO_ERROR resp[qr=1] rd ra cd)
[Q: ksol.io.    IN  DNSKEY]
[A: ksol.io.    3599    IN  DNSKEY  256 3 ECDSAP256SHA256 eZoCtc6bZum/ClU+MIeiGsmtDIioOm+1DmS4F+O6Us9iTq3/SfSkZnmkqsi11hKF95ArSr4ohDdAZgZF8sdgaw==]
[A: ksol.io.    3599    IN  DNSKEY  257 3 ECDSAP256SHA256 JtLNH7rFA7y/B8vNGUZNZfKl5SWnMPC/5Hk8G8ehYJvZTyq/L4eQ9fDRbdEtckiiPX5qlmXxgcoiPBrv5+qJYQ==]
[A: ksol.io.    3599    IN  RRSIG   DNSKEY ECDSAP256SHA256 2 3600 20240701171204 20240617170611 14365 ksol.io. 5SiXpe9JmL5cRDxYf0k1q3HIeLKjlAaG+9KDdBD69iZo+efCiYo4BGjbDNMBtdVV1x7t8PyvDMF61haVNGlyiA==]
[X: EDNS: version: 0, flags: do; udp: 65494]
Jun 19, 2024 10:45:02 AM org.minidns.dnssec.algorithms.AlgorithmMap <init>
FINE: Platform does not support GOST R 34.10-2001
java.security.NoSuchAlgorithmException: ECGOST3410 KeyFactory not available
    at java.base/java.security.KeyFactory.<init>(KeyFactory.java:138)
    at java.base/java.security.KeyFactory.getInstance(KeyFactory.java:183)
    at org.minidns.dnssec.algorithms.JavaSecSignatureVerifier.<init>(JavaSecSignatureVerifier.java:32)
    at org.minidns.dnssec.algorithms.EcgostSignatureVerifier.<init>(EcgostSignatureVerifier.java:44)
    at org.minidns.dnssec.algorithms.AlgorithmMap.<init>(AlgorithmMap.java:92)
    at org.minidns.dnssec.algorithms.AlgorithmMap.<clinit>(AlgorithmMap.java:29)
    at org.minidns.dnssec.Verifier.<clinit>(Verifier.java:39)
    at org.minidns.dnssec.DnssecClient.verifySignedRecords(DnssecClient.java:396)
    at org.minidns.dnssec.DnssecClient.verifySignatures(DnssecClient.java:321)
    at org.minidns.dnssec.DnssecClient.verifyAnswer(DnssecClient.java:159)
    at org.minidns.dnssec.DnssecClient.verify(DnssecClient.java:149)
    at org.minidns.dnssec.DnssecClient.performVerification(DnssecClient.java:115)
    at org.minidns.dnssec.DnssecClient.queryDnssec(DnssecClient.java:105)
    at org.minidns.dnssec.DnssecClient.queryDnssec(DnssecClient.java:100)
    at org.minidns.dnssec.DnssecClient.verifySignedRecords(DnssecClient.java:381)
    at org.minidns.dnssec.DnssecClient.verifySignatures(DnssecClient.java:321)
    at org.minidns.dnssec.DnssecClient.verifyAnswer(DnssecClient.java:159)
    at org.minidns.dnssec.DnssecClient.verify(DnssecClient.java:149)
    at org.minidns.dnssec.DnssecClient.performVerification(DnssecClient.java:115)
    at org.minidns.dnssec.DnssecClient.queryDnssec(DnssecClient.java:105)
    at org.minidns.dnssec.DnssecClient.queryDnssec(DnssecClient.java:100)
    at ammonite.$sess.cmd1$.<init>(cmd1.sc:1)
    at ammonite.$sess.cmd1$.<clinit>(cmd1.sc)
    at ammonite.$sess.cmd1.$main(cmd1.sc)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.base/java.lang.reflect.Method.invoke(Method.java:566)
    at ammonite.runtime.Evaluator$$anon$1.$anonfun$evalMain$1(Evaluator.scala:113)
    at ammonite.util.Util$.withContextClassloader(Util.scala:16)
    at ammonite.runtime.Evaluator$$anon$1.evalMain(Evaluator.scala:95)
    at ammonite.runtime.Evaluator$$anon$1.$anonfun$processLine$2(Evaluator.scala:132)
    at ammonite.util.Catching.map(Res.scala:116)
    at ammonite.runtime.Evaluator$$anon$1.$anonfun$processLine$1(Evaluator.scala:126)
    at ammonite.util.Res$Success.flatMap(Res.scala:61)
    at ammonite.runtime.Evaluator$$anon$1.processLine(Evaluator.scala:125)
    at ammonite.interp.Interpreter.$anonfun$evaluateLine$3(Interpreter.scala:275)
    at ammonite.util.Res$Success.flatMap(Res.scala:61)
    at ammonite.interp.Interpreter.$anonfun$evaluateLine$1(Interpreter.scala:261)
    at ammonite.util.Catching.flatMap(Res.scala:114)
    at ammonite.interp.Interpreter.evaluateLine(Interpreter.scala:260)
    at ammonite.interp.Interpreter.$anonfun$processLine$5(Interpreter.scala:247)
    at ammonite.util.Res$Success.flatMap(Res.scala:61)
    at ammonite.interp.Interpreter.$anonfun$processLine$3(Interpreter.scala:231)
    at ammonite.util.Res$Success.flatMap(Res.scala:61)
    at ammonite.interp.Interpreter.$anonfun$processLine$1(Interpreter.scala:224)
    at ammonite.util.Catching.flatMap(Res.scala:114)
    at ammonite.interp.Interpreter.processLine(Interpreter.scala:223)
    at ammonite.repl.Repl.$anonfun$action$7(Repl.scala:175)
    at ammonite.repl.Scoped.$anonfun$flatMap$1(Signaller.scala:44)
    at ammonite.repl.Signaller.apply(Signaller.scala:28)
    at ammonite.repl.Scoped.flatMap(Signaller.scala:44)
    at ammonite.repl.Scoped.flatMap$(Signaller.scala:44)
    at ammonite.repl.Signaller.flatMap(Signaller.scala:16)
    at ammonite.repl.Repl.$anonfun$action$5(Repl.scala:167)
    at ammonite.util.Res$Success.flatMap(Res.scala:61)
    at ammonite.repl.Repl.$anonfun$action$1(Repl.scala:154)
    at ammonite.util.Catching.flatMap(Res.scala:114)
    at ammonite.repl.Repl.action(Repl.scala:146)
    at ammonite.repl.Repl.loop$1(Repl.scala:186)
    at ammonite.repl.Repl.run(Repl.scala:202)
    at ammonite.Main.$anonfun$run$2(Main.scala:201)
    at scala.Option.getOrElse(Option.scala:121)
    at ammonite.Main.run(Main.scala:188)
    at ammonite.MainRunner.$anonfun$runRepl$1(Main.scala:370)
    at ammonite.MainRunner.watchLoop(Main.scala:351)
    at ammonite.MainRunner.runRepl(Main.scala:370)
    at ammonite.Main$.main0(Main.scala:287)
    at ammonite.Main$.main(Main.scala:251)
    at ammonite.Main.main(Main.scala)

Jun 19, 2024 10:45:02 AM org.minidns.DnsClient findDNS
FINE: DnsServerLookupMechanism UnixUsingEtcResolvConf returned the following DNS servers: 127.0.0.53
Jun 19, 2024 10:45:02 AM org.minidns.AbstractDnsClient query
FINE: Asking /127.0.0.53 on 53 for ksol.io. IN  DS with:
DnsMessage(23103 QUERY NO_ERROR query[qr=0] rd cd)
[Q: ksol.io.    IN  DS]
[X: EDNS: version: 0, flags: do; udp: 1024]
Jun 19, 2024 10:45:02 AM org.minidns.AbstractDnsClient query
FINE: Response from /127.0.0.53 on 53 for ksol.io.  IN  DS:
DnsMessage(23103 QUERY NO_ERROR resp[qr=1] rd ra ad cd)
[Q: ksol.io.    IN  DS]
[A: ksol.io.    3599    IN  DS  14365 ECDSAP256SHA256 SHA384 394D6477E6A8FDFC0BC318E8FB1209000D285739153EF0E1CC899BEE7E2F00AD74DC1BC228F646AD0B8B652A7656D3DD]
[A: ksol.io.    3599    IN  RRSIG   DS RSASHA256 2 3600 20240708155515 20240617145515 12723 io. OnbnhN3CCyx9F9LC4XXPiLBrcyiJxgTJ35HkRN4lwBxATIjwP6JEZC+yFZ/A3k9x26q3dF/2Oz24vZM9oXPyZW7XwPhGh6Zsj+EyG9Z5UnF04CP+KAI94RkDKFOEnI9AyKwOAHTOQ9yzKD0BfY+o0WTsM5khReEx9aCp0A1REwY=]
[X: EDNS: version: 0, flags: do; udp: 65494]
Jun 19, 2024 10:45:02 AM org.minidns.DnsClient findDNS
FINE: DnsServerLookupMechanism UnixUsingEtcResolvConf returned the following DNS servers: 127.0.0.53
Jun 19, 2024 10:45:02 AM org.minidns.AbstractDnsClient query
FINE: Asking /127.0.0.53 on 53 for io.  IN  DNSKEY with:
DnsMessage(50745 QUERY NO_ERROR query[qr=0] rd cd)
[Q: io. IN  DNSKEY]
[X: EDNS: version: 0, flags: do; udp: 1024]
Jun 19, 2024 10:45:02 AM org.minidns.AbstractDnsClient query
FINE: Response from /127.0.0.53 on 53 for io.   IN  DNSKEY:
DnsMessage(50745 QUERY REFUSED resp[qr=1] aa rd ra cd)
[Q: io. IN  DNSKEY]
[X: EDNS: version: 0, flags: do; udp: 65494]
Jun 19, 2024 10:45:02 AM org.minidns.DnsClient query
WARNING: Response from /127.0.0.53 asked for io.    IN  DNSKEY with error code: REFUSED.
Jun 19, 2024 10:45:02 AM org.minidns.DnsClient query
WARNING: Response from /127.0.0.53 asked for io.    IN  DNSKEY with error code: REFUSED.
Jun 19, 2024 10:45:02 AM org.minidns.AbstractDnsClient query
FINE: Asking /8.8.8.8 on 53 for io. IN  DNSKEY with:
DnsMessage(50745 QUERY NO_ERROR query[qr=0] rd cd)
[Q: io. IN  DNSKEY]
[X: EDNS: version: 0, flags: do; udp: 1024]
Jun 19, 2024 10:45:02 AM org.minidns.AbstractDnsClient query
FINE: Response from /8.8.8.8 on 53 for io.  IN  DNSKEY:
DnsMessage(50745 QUERY NO_ERROR resp[qr=1] rd ra ad cd)
[Q: io. IN  DNSKEY]
[A: io. 3252    IN  DNSKEY  257 3 RSASHA256 AwEAAdgV7ipvizPjJNDZ1O5Ea7hmp+qelixmzCqWbwPH00VOKvlEcWfM/PKGLt+Phj9jVJqDytWIm7Ff7+fUaRMPzMuUW2Z7ViLitxH4iNtKtwU+DMzdGpzRMXFAF1WdbxCF5lWoK0MHsIR5oD9VkwopkttyGnKjYhTDNObYHg8Mi5E9j0FjU4OEpKw6NbZduVKp2pRBBejm/8WKq0O1PukchMa6TQIJlYNsJZNzD1QLcKZWEup+fTvqzAWiK2Su6rlDC7rgwe6OjhrT2ejqlORp3h5S4WJGi3haUczvA/O5GYjhGmXxp5CJ01RJSYG0BsbY1tpEX+9Y4+GhS/nf8Qo0iDc=]
[A: io. 3252    IN  DNSKEY  256 3 RSASHA256 AwEAAZSk5aaoE7PtV0kTMmsgFvGthxpoOeGyZw0YIq1W3InR6mBuJBOaYNOILyWsTBU6BO+q7oDqzVdHk5hcETn1h2hq7RP/770KPt0t/0sniDd/Yavvs6zHKQofpRV3YcIUOngWpvZ2Z55xIbzU8H8FdW+igCMwQgiSRfbc8aWnmEDv]
[A: io. 3252    IN  DNSKEY  256 3 RSASHA256 AwEAAaLASRPiGmFtDEPgozcCgfQBXnMY76WdF3wSKZztCUNjTuTWT6GgK9DrSOfBr6MvemMczIhwoH1v4gv4sPpzeDCzOilZHGB+PP8Z/z2POL3iXi0OXfxBdxOsceZuIvKK1TsZxvQsjtZ0h4wjY/A1zlz7KOw+Q5nANbKR7XV7oBWd]
[A: io. 3252    IN  RRSIG   DNSKEY RSASHA256 1 3600 20240708155515 20240617145515 57355 io. OXkPP5+STqcOMESrQUZ6GpKzlURXJddP7Qxoy+5jFqWaDoyFYHOI7gIoA7XR/hgGomcPAG19Hz07alvj4jEza3zigS1LBVfJ1E9NT1XR3V7M7GccnFgz46lNHYmvBIMi4JDgEB9gJcKn+efTnKVTn32k7rB7R4adJ1Mg7ip9vAJP6osnU2RIZCVozwHhBMTfIizUZVjlMWyJ+/hDhtWsv1ijlQf6LHfXQj12owYl0cVzGMVNWBhxnV5F89ZVGBbcNWqcHHcgqNVA85Dn3ykb9+AelAC+cUC4NMhwPp86l8i7LEOfGfFQwh09f/nurn+kb0cUQ7QPEE91kmZOIpC0Dw==]
[X: EDNS: version: 0, flags: do; udp: 512]
Jun 19, 2024 10:45:02 AM org.minidns.DnsClient findDNS
FINE: DnsServerLookupMechanism UnixUsingEtcResolvConf returned the following DNS servers: 127.0.0.53
Jun 19, 2024 10:45:02 AM org.minidns.AbstractDnsClient query
FINE: Asking /127.0.0.53 on 53 for io.  IN  DS with:
DnsMessage(4990 QUERY NO_ERROR query[qr=0] rd cd)
[Q: io. IN  DS]
[X: EDNS: version: 0, flags: do; udp: 1024]
Jun 19, 2024 10:45:02 AM org.minidns.AbstractDnsClient query
FINE: Response from /127.0.0.53 on 53 for io.   IN  DS:
DnsMessage(4990 QUERY REFUSED resp[qr=1] aa rd ra cd)
[Q: io. IN  DS]
[X: EDNS: version: 0, flags: do; udp: 65494]
Jun 19, 2024 10:45:02 AM org.minidns.DnsClient query
WARNING: Response from /127.0.0.53 asked for io.    IN  DS with error code: REFUSED.
Jun 19, 2024 10:45:02 AM org.minidns.DnsClient query
WARNING: Response from /127.0.0.53 asked for io.    IN  DS with error code: REFUSED.
Jun 19, 2024 10:45:02 AM org.minidns.AbstractDnsClient query
FINE: Asking /8.8.8.8 on 53 for io. IN  DS with:
DnsMessage(4990 QUERY NO_ERROR query[qr=0] rd cd)
[Q: io. IN  DS]
[X: EDNS: version: 0, flags: do; udp: 1024]
Jun 19, 2024 10:45:02 AM org.minidns.AbstractDnsClient query
FINE: Response from /8.8.8.8 on 53 for io.  IN  DS:
DnsMessage(4990 QUERY NO_ERROR resp[qr=1] rd ra ad cd)
[Q: io. IN  DS]
[A: io. 59874   IN  DS  57355 RSASHA256 SHA256 95A57C3BAB7849DBCDDF7C72ADA71A88146B141110318CA5BE672057E865C3E2]
[A: io. 59874   IN  RRSIG   DS RSASHA256 1 86400 20240701170000 20240618160000 5613 .. Au5FBw/Nd3nEjRl2fAoyGHOTnEzBB+Z+HWXa0+JYsEEMxrdiUGfx9ogZVStR+TCnCd27XVDRYoU7O2znFU0bTXxIBqlFUboDxL9lQSeBCxE9AnCO7ymCYIz5F+Lks/geuvR6EpUVp89a6BchowJwQSQOhzZM4TuOrV3QhyjKK9WJMgltDKfeZZ1gSZj4cVB93qP8L9mpdx1WQWF2TtuaF5Hyzdeqjfk/oWw4cZTCS3d15VWt2Wu9YPmU0QLK2wI4BsRhR5M0Fqdz108i7ThocdM85nV2n9//uv2OiUb6WpwyKswd7SBlB8EBtL0SwGvmi5nszp4vvMSyjVzeHQAfUw==]
[X: EDNS: version: 0, flags: do; udp: 512]
Jun 19, 2024 10:45:02 AM org.minidns.DnsClient findDNS
FINE: DnsServerLookupMechanism UnixUsingEtcResolvConf returned the following DNS servers: 127.0.0.53
Jun 19, 2024 10:45:02 AM org.minidns.AbstractDnsClient query
FINE: Asking /127.0.0.53 on 53 for ..   IN  DNSKEY with:
DnsMessage(12124 QUERY NO_ERROR query[qr=0] rd cd)
[Q: ..  IN  DNSKEY]
[X: EDNS: version: 0, flags: do; udp: 1024]
Jun 19, 2024 10:45:02 AM org.minidns.AbstractDnsClient query
FINE: Response from /127.0.0.53 on 53 for ..    IN  DNSKEY:
DnsMessage(12124 QUERY NO_ERROR resp[qr=1] rd ra ad cd)
[Q: ..  IN  DNSKEY]
[A: ..  47671   IN  DNSKEY  256 3 RSASHA256 AwEAAZBALoOFImwcJJg9Iu7Vy7ZyLjhtXfvO1c9k4vHjOpf9i7U1kKtrBvhnwsOni1sb50gkUayRtMDTUQqvljMMf4bpkyEtcE5evCzhHbFLq1coL5QOix3mfJm++FvIMaAt52nOvAdqR/luuI11bA1AmSCIJKAUx147DcfOHYKg3as+dznn3Iah4cWBMVzDe7PPsFS1AO6gU8EpmiRJ9VMNA09fOyDuq9+d6sw8UUnJRMAFAuPLhUFjUAOuWOw74BC9lOtMQpbLMz8pX0CDKdOXDHjyj61nxSSWxPdUjeoxI17lQTpSPRtqRHFn5Fgj2e+9BVwhhWGDQN8kUVSJHZtQiI0=]
[A: ..  47671   IN  DNSKEY  257 3 RSASHA256 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=]
[A: ..  47671   IN  RRSIG   DNSKEY RSASHA256 0 172800 20240701000000 20240610000000 20326 .. eMFu/6uu1WUYhDgMumLBzvIVpCIlm7RgN4bOWtddDAg001OtUzn89m12ox2FKAleQcPe1dhUAatL26w0qUeBB4ucXu8IB+azRu/EOwGZroZAubzp+vKAuUV48KqKdncw618tRJKtH+BDTHQQxdztd7GG8dtXnqE2V7NruCjf68dwOLiZTrPG3GVjyxiU0tb4JGyX6SXIViRSyGjH5OGMfx9wicHwLnBy29E7B4QwJ8PAhxe8TCMu+/2c5YzDV1k3XABj71L2Kh+zvukQ/lxB0eJHt0nc4rxcV8nyr7TOOIzpLyNlUhSDckK1XweyTIKzJrg8pI2gQXYiOnH0T3I8Cg==]
[X: EDNS: version: 0, flags: do; udp: 65494]
Jun 19, 2024 10:45:02 AM org.minidns.dnssec.DnssecClient verifySecureEntryPoint
FINE: There is no DS record for 'io', server gives empty result
Jun 19, 2024 10:45:02 AM org.minidns.dnssec.DnssecClient verifySecureEntryPoint
FINE: There is no DS record for 'io', server gives empty result
Jun 19, 2024 10:45:02 AM org.minidns.dnssec.DnssecClient verifySecureEntryPoint
FINE: There is no DS record for 'ksol.io', server gives empty result
Jun 19, 2024 10:45:02 AM org.minidns.dnssec.DnssecClient verifySecureEntryPoint
FINE: There is no DS record for 'io', server gives empty result
Jun 19, 2024 10:45:02 AM org.minidns.dnssec.DnssecClient verifySecureEntryPoint
FINE: There is no DS record for 'io', server gives empty result
res1: dnssec.DnssecQueryResult = org.minidns.dnssec.DnssecQueryResult@1fedf0a4

@ res1.is 
isAuthenticData
@ res1.isA 
isAuthenticData
@ res1.isAuthenticData 
res2: Boolean = true

@ res1.getU 
getUnverifiedReasons
@ res1.getUnverifiedReasons 
res3: java.util.Set[dnssec.DnssecUnverifiedReason] = []
M66B commented 3 months ago

@Flowdalic can we get a snapshot build on maven with this?

Flowdalic commented 3 months ago

@Flowdalic can we get a snapshot build on maven with this?

published

M66B commented 3 months ago

@Flowdalic which maven repo was used for this? I don't see an artefact here:

https://mvnrepository.com/artifact/org.minidns/minidns-hla

Or in other words, what are the maven coordinates?

Flowdalic commented 3 months ago

@Flowdalic which maven repo was used for this?

Maven Central's snapshot repository: https://oss.sonatype.org/content/repositories/snapshots/org/minidns/

M66B commented 3 months ago

@karolyi you can download a preview/snapshot version of FairEmail via this link:

https://bitbucket.org/M66B/fairemail-test/downloads/

I'm not sure how stable/finished the MiniDNS alpha version is, so I'm not sure if this will be included in regular builds of the app. Perhaps @Flowdalic can comment on this.

In any case, there are more than a few changes since 1.0.5: https://github.com/MiniDNS/minidns/compare/1.0.5...master

karolyi commented 3 months ago

@M66B it's kinda offtopic here but can confirm that the alpha works, and I can also turn on the "Enforce DNSSEC" checkbox.

Maybe it would be beneficial to test what happens upon a bad TLSA signature to test a negative, but I'm happy with the result as is.

karolyi commented 3 months ago

Also, I'm wondering why a better (more secure) hashing algorithm is optional, and a less secure mandatory.

It only has the possibility to exploit security holes of lacking implementations, where they simply ignore checking the SHA384 hashes and assume the domain's DS record is valid, when a 'mandatory' record, such as the SHA256 is missing.

I've set up my domain with the intention of using the better hashing algo, just to realize it's optional.