search

PennockTech / smtpdane

SMTP DANE testing tool
MIT License
22 stars 1 forks source link

Fails with `not AD set for results from 141.14.16.1:53 for "mx3.molgen.mpg.de."/A query` #4

Closed paulmenzel closed 1 year ago

paulmenzel commented 1 year ago 
$ git log --oneline --no-decorate -1
1632cba CI: adjust for GHActions deprecations [tread-water]
$ go build
$ ./smtpdane mx3.molgen.mpg.de
error securely resolving "mx3.molgen.mpg.de"
    not AD set for results from 141.14.16.1:53 for "mx3.molgen.mpg.de."/AAAA query
    not AD set for results from 141.14.16.1:53 for "mx3.molgen.mpg.de."/A query
    no results found

./smtpdane: encountered 1 errors

$ more /etc/resolv.conf
search molgen.mpg.de
nameserver 127.0.0.1
nameserver 141.14.16.1
$ dig mx3.molgen.mpg.de

; <<>> DiG 9.9.6-P1 <<>> mx3.molgen.mpg.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47299
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;mx3.molgen.mpg.de.         IN      A

;; ANSWER SECTION:
mx3.molgen.mpg.de.  7129    IN      A       141.14.17.11

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jul 13 05:45:40 CEST 2023
;; MSG SIZE  rcvd: 62

$ unbound -V
Version 1.13.1

Configure line: --prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --libexecdir=/usr/libexec --sysconfdir=/etc --sharedstatedir=/var --localstatedir=/var --libdir=/usr/lib --includedir=/usr/include --datarootdir=/usr/share --datadir=/usr/share --infodir=/usr/share/info --localedir=/usr/share/locale --mandir=/usr/share/man --docdir=/usr/share/doc/unbound --exec-prefix=/usr --disable-static --enable-systemd --with-pidfile=/run/unbound.pid --with-rootkey-file=/var/lib/unbound/root.key
Linked libs: mini-event internal (it uses select), OpenSSL 1.1.1t  7 Feb 2023
Linked modules: dns64 respip validator iterator

BSD licensed, see LICENSE in source package for details.
Report bugs to unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues
philpennock commented 1 year ago

At the time that I checked, against an Unbound 1.15.0 resolver, it worked for me. See below. Your unbound check tells me that the localhost resolver is probably fine, but it's an error message about the second DNS resolver in your /etc/resolv.conf file.

If I use that IP, dig -t a @141.14.16.1 mx3.molgen.mpg.de tells me recursion not available (perhaps an ACL issue?), and also returns non-authoritative data (the AD bit is not set in the header). So, it looks as though smtpdane has done its job perfectly and complained about being unable to validate with DNSSEC; the reason it can't validate is because the configured local resolver isn't providing DNSSEC verifying service to you. There's an open todo item to implement a DNSSEC validator natively instead of relying upon system resolvers, but that would actually just mask a real problem here. SMTP DANE won't work for you in your setup while you're using a DNS resolver which breaks validation.

% smtpdane mx3.molgen.mpg.de
found 1 secure addresses for "mx3.molgen.mpg.de" at "mx3.molgen.mpg.de.": [141.14.17.11]
found 2 TLSA records for "_25._tcp.mx3.molgen.mpg.de."
  3 1 2 ...3c05180b94534145fecd30ac3a06166c6b9dac854e26bc8be37e83c0c3bbea4b8c2
  3 1 2 ...c2832ef72f5dc12b5fe3984bafe1b87406207edad34a4f3e11f49cd4a23db83374c
[mx3.molgen.mpg.de 141.14.17.11] issuing STARTTLS [port 25]
[mx3.molgen.mpg.de 141.14.17.11] TLSA DANE-EE(3) match: 3 1 2 ...e83c0c3bbea4b8c2
paulmenzel commented 1 year ago

Thank you for taking the time to look into it.

If I use that IP, dig -t a @141.14.16.1 mx3.molgen.mpg.de tells me recursion not available (perhaps an ACL issue?), and also returns non-authoritative data (the AD bit is not set in the header).

141.14.16.1 is not a public resolver. My colleague wrote:

141.14.16.1 doesn't do recursive resolution for external clients because DNS allows multiplication attacks. So you only get answers for local zones or cached names.

So, it looks as though smtpdane has done its job perfectly and complained about being unable to validate with DNSSEC; the reason it can't validate is because the configured local resolver isn't providing DNSSEC verifying service to you.

141.14.16.1 supports DNSSEC validation:

$ dig @141.14.16.1 dnssec-failed.org +short
$ dig @141.14.16.1 dnssec-failed.org +short +ad
$ dig @141.14.16.1 dnssec-failed.org +short +cd
96.99.227.255

Removing the second nameserver entry makes the error go away:

$ more /etc/resolv.conf
search molgen.mpg.de
nameserver 127.0.0.1
$ ./smtpdane mx3.molgen.mpg.de
found 1 secure addresses for "mx3.molgen.mpg.de" at "mx3.molgen.mpg.de.": [141.14.17.11]
found 2 TLSA records for "_25._tcp.mx3.molgen.mpg.de."
  3 1 2 ...c2832ef72f5dc12b5fe3984bafe1b87406207edad34a4f3e11f49cd4a23db83374c
  3 1 2 ...3c05180b94534145fecd30ac3a06166c6b9dac854e26bc8be37e83c0c3bbea4b8c2
[mx3.molgen.mpg.de 141.14.17.11] issuing STARTTLS [port 25]
[mx3.molgen.mpg.de 141.14.17.11] TLSA DANE-EE(3) match: 3 1 2 ...e83c0c3bbea4b8c2

The manual page resolv.conf(5) says for nameserver:

If there are multiple servers, the resolver library queries them in the order listed.

I am wondering, why the second nameserver entry is tried? Unbound is used as the system’s configured DNSSEC-validating recursive nameserver to perform all DNSSEC validation, and not 141.14.16.1.

philpennock commented 1 year ago

Because there's a different bug. :disappointed: Thank you. The report by smtpdane was indeed working-as-intended, but the fact that we queried that resolver at all was not. I have opened an issue #5 to track the loop bit and will get this fixed shortly.

Thank you!

paulmenzel commented 1 year ago

Thank you for being so responsive, and writing and maintaining smtpdane.

philpennock commented 1 year ago

You're welcome, and thanks for the kind words.

Running go install go.pennock.tech/smtpdane@latest should now install v0.4.4 which has the fix for the all-resolvers issue (#5). If it installs v0.4.3 then there's a stale module cache, and use @v0.4.4 to be explicit.

paulmenzel commented 1 year ago

Thank you for the quick fix. It works now:

$ git log --oneline --no-decorate -1
07643ae bump version back to -dev for next release
$ go build
$ $ ./smtpdane mx3.molgen.mpg.de
found 1 secure addresses for "mx3.molgen.mpg.de" at "mx3.molgen.mpg.de.": [141.14.17.11]
found 2 TLSA records for "_25._tcp.mx3.molgen.mpg.de."
  3 1 2 ...3c05180b94534145fecd30ac3a06166c6b9dac854e26bc8be37e83c0c3bbea4b8c2
  3 1 2 ...c2832ef72f5dc12b5fe3984bafe1b87406207edad34a4f3e11f49cd4a23db83374c
[mx3.molgen.mpg.de 141.14.17.11] issuing STARTTLS [port 25]
[mx3.molgen.mpg.de 141.14.17.11] TLSA DANE-EE(3) match: 3 1 2 ...e83c0c3bbea4b8c2