search

NLnetLabs / unbound

Unbound is a validating, recursive, and caching DNS resolver.
https://nlnetlabs.nl/unbound
BSD 3-Clause "New" or "Revised" License
3.15k stars 358 forks source link

ede: yes has no effect #1179

Open minfrin opened 1 week ago

minfrin commented 1 week ago

Describe the bug When EDE is enabled, EDE responses are not sent for DNSSEC failures.

To reproduce Steps to reproduce the behavior:

  1. Enable ede by adding "ede: yes".
  2. dig @::1 dnssec-failed.org +dnssec
  3. No EDE errors.

Expected behavior EDE error as follows:

EDE: 9 (DNSKEY Missing): (no SEP matching the DS found for dnssec-failed.org.)

System:

[root@seawitch unbound]# unbound -V Version 1.16.2

Configure line: --build=x86_64-redhat-linux-gnu --host=x86_64-redhat-linux-gnu --program-prefix= --disable-dependency-tracking --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib --mandir=/usr/share/man --infodir=/usr/share/info --with-pythonmodule --with-pyunbound PYTHON=/usr/bin/python3 --enable-dnstap --with-libnghttp2 --with-libevent --with-pthreads --with-ssl --disable-rpath --disable-static --enable-relro-now --enable-pie --enable-subnet --enable-ipsecmod --with-conf-file=/etc/unbound/unbound.conf --with-pidfile=/run/unbound/unbound.pid --enable-sha2 --disable-gost --enable-ecdsa --with-rootkey-file=/var/lib/unbound/root.key --enable-linux-ip-local-port-range --disable-sha1 Linked libs: libevent 2.1.12-stable (it uses epoll), OpenSSL 3.0.7 1 Nov 2022 Linked modules: dns64 python ipsecmod subnetcache respip validator iterator

BSD licensed, see LICENSE in source package for details. Report bugs to unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues

Additional information

Example of EDE working correctly against 1.1.1.1:

[root@seawitch unbound]# dig @2606:4700:4700::1111 [dnssec-failed.org](http://dnssec-failed.org/) +dnssec

; <<>> DiG 9.16.23-RH <<>> @2606:4700:4700::1111 [dnssec-failed.org](http://dnssec-failed.org/) +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 51077
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; EDE: 9 (DNSKEY Missing): (no SEP matching the DS found for [dnssec-failed.org](http://dnssec-failed.org/).)
;; QUESTION SECTION:
;[dnssec-failed.org](http://dnssec-failed.org/).        IN  A

;; Query time: 676 msec
;; SERVER: 2606:4700:4700::1111#53(2606:4700:4700::1111)
;; WHEN: Fri Nov 08 16:53:30 SAST 2024
;; MSG SIZE  rcvd: 103

EDE not working in the same query, this time with unbound on localhost:

[root@seawitch unbound]# dig @::1 dnssec-failed.org +dnssec

; <<>> DiG 9.16.23-RH <<>> @::1 dnssec-failed.org +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15576
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;[dnssec-failed.org](http://dnssec-failed.org/).        IN  A

;; ANSWER SECTION:
[dnssec-failed.org](http://dnssec-failed.org/). 30  IN  A   96.99.227.255
[dnssec-failed.org](http://dnssec-failed.org/). 30  IN  RRSIG   A 5 2 300 20241121145122 20241104144622 44973 [dnssec-failed.org](http://dnssec-failed.org/). xdYo1mIsVxkRpE0A/HQY5Q6zFcfTUBlQlPVp+9ykPgMXvyei2SozOt9t qMw0cO6asCA2i8OBTVepXJP0KAECfaLG7aFMEVxXci5MaZgv1RZ51QZs xIbYfolLLgOnHbb//n/RoTHy8OSe8/GNHHnrfrUGB3Ho6dk2OLzU9TRi GUo=

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Fri Nov 08 17:03:01 SAST 2024
;; MSG SIZE  rcvd: 239
mtheofy commented 1 week ago

Did you enable correctly DNSSEC in your unbound setup? You get a NOERROR while should be getting a SERVFAIL. I get a SERVFAIL and EDE: 6 (DNSSEC Bogus) when I run the same test.

root@ns1:~# dig @::1 dnssec-failed.org +dnssec

; <<>> DiG 9.20.3-1+0~20241110.108+debian12~1.gbpa0a2ff-Debian <<>> @::1 dnssec-failed.org +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 38645
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1432
; COOKIE: 32ff924B473a46310100000067312161d17372f7c0d36983 (good)
; EDE: 6 (DNSSEC Bogus)
;; QUESTION SECTION:
;dnssec-failed.org.             IN      A

;; Query time: 948 msec
;; SERVER: ::1#53(::1) (UDP)
;; WHEN: Sun Nov 10 23:10:58 EET 2024
;; MSG SIZE  rcvd: 80
gthess commented 1 week ago

The configure line above reveals the culprit: --disable-sha1. Unbound was compiled with no SHA1 support. It then treats that zone (signed with algorithm 5 - RSASHA1) as just insecure.

mtheofy commented 1 week ago

The configure line above reveals the culprit: --disable-sha1. Unbound was compiled with no SHA1 support. It then treats that zone (signed with algorithm 5 - RSASHA1) as just insecure.

Good catch.

testing another site operated by CZ.NIC gives me EDE 7

root@ns1:~# dig +dnssec rhybar.cz a @::1

; <<>> DiG 9.20.3-1+0~20241110.108+debian12~1.gbpa0a2ff-Debian <<>> +dnssec rhybar.cz a @::1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 51190
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
; EDE: 7 (Signature Expired)
;; QUESTION SECTION:
;rhybar.cz.                     IN      A

;; Query time: 468 msec
;; SERVER: ::1#53(::1) (UDP)
;; WHEN: Mon Nov 11 16:13:35 EET 2024
;; MSG SIZE  rcvd: 44