search

Quad9DNS / dnscrypt-settings

DNSCrypt Information for Quad9
Creative Commons Zero v1.0 Universal
51 stars 9 forks source link

dnscrypt-proxy Incompatible signature algorithm #8

Open AndLLA opened 1 month ago

AndLLA commented 1 month ago

Using dns-crypt-proxy with the new configuration results in a "incompatible signature algorithm", maybe related to the new minisign key ?

[2024-08-07 11:06:09] [NOTICE] dnscrypt-proxy 2.1.5 [2024-08-07 11:06:09] [NOTICE] Service is not usable yet [2024-08-07 11:06:09] [NOTICE] Resolving server host [raw.githubusercontent.com] using bootstrap resolvers over udp [2024-08-07 11:06:09] [NOTICE] Service is not usable yet [2024-08-07 11:06:09] [NOTICE] Resolving server host [quad9.net] using bootstrap resolvers over udp [2024-08-07 11:06:10] [CRITICAL] Unable to retrieve source [quad9-resolvers]: [Incompatible signature algorithm] [2024-08-07 11:06:10] [FATAL] Incompatible signature algorithm

configuration:

[sources.quad9-resolvers] urls = ['https://quad9.net/dnscrypt/quad9-resolvers.md', 'https://raw.githubusercontent.com/Quad9DNS/dnscrypt-settings/main/dnscrypt/quad9-resolvers.md'] minisign_key = 'RWTp2E4t64BrL651lEiDLNon+DqzPG4jhZ97pfdNkcq1VDdocLKvl5FW' cache_file = '/var/cache/dnscrypt-proxy/quad9-resolvers.md' refresh_delay = 72 prefix = 'quad9-'

xbc5 commented 1 month ago

I can confirm this. Looks like this commit causes the issue. I am not sure what went wrong, perhaps a bad key; or older packages in Linux repos are not up to scratch.

I am using dnscrypt-proxy-2.1.5-1.fc39.x86_64 on Fedora, but the latest stable version reported on the homepage is 1.9.5.

Anyway, disabling the following source fixes the issue:

[sources.quad9-resolvers]
  urls = ['https://www.quad9.net/quad9-resolvers.md']
  minisign_key = 'RWTp2E4t64BrL651lEiDLNon+DqzPG4jhZ97pfdNkcq1VDdocLKvl5FW'
  cache_file = '/var/cache/dnscrypt-proxy/quad9-resolvers.md'
  prefix = 'quad9-'

The quad9 resolvers are available via the DNSCrypt public resolver list, which also have the quad9- prefix -- so if you have those public resolvers enabled, disabling this source will just use those, and everything should work.

farrokhi commented 1 month ago

Do you still have this problem after recent commits? 81de2fca0879ceced82f3c8829e47be9eaf6a99e and 5da49928f4a734e9d3a259b904e36b5260840c38

AndLLA commented 1 month ago

Hallo, just tried (after cleaning caches) and the problem is still there. The files received on my end contain the latest commits: for example the minisig timestamp: trusted comment: timestamp:1723060100

Configuration: [sources.quad9-resolvers] urls = ['https://quad9.net/dnscrypt/quad9-resolvers.md', 'https://raw.githubusercontent.com/Quad9DNS/dnscrypt-settings/main/dnscrypt/quad9-resolvers.md'] minisign_key = 'RWTp2E4t64BrL651lEiDLNon+DqzPG4jhZ97pfdNkcq1VDdocLKvl5FW' cache_file = '/var/cache/dnscrypt-proxy/quad9-resolvers.md' refresh_delay = 72 prefix = 'quad9-'

Log: [2024-08-08 12:44:07] [NOTICE] dnscrypt-proxy 2.1.5 [2024-08-08 12:44:07] [NOTICE] Service is not usable yet [2024-08-08 12:44:07] [NOTICE] Resolving server host [quad9.net] using bootstrap resolvers over udp [2024-08-08 12:44:08] [NOTICE] Service is not usable yet [2024-08-08 12:44:08] [NOTICE] Resolving server host [raw.githubusercontent.com] using bootstrap resolvers over udp [2024-08-08 12:44:08] [CRITICAL] Unable to retrieve source [quad9-resolvers]: [Incompatible signature algorithm] [2024-08-08 12:44:08] [FATAL] Incompatible signature algorithm

Thanks

farrokhi commented 1 month ago

Although you are using a recent version of dnscrypt-proxy, the reason seems to be that dnscrypt-proxy is not able to verify the minisign signature (see the code)

Apparently dnscrypt-proxy expects a signature in "Legacy" format, while according to this page it will be removed in future. I will sign everything using legacy format to address this issue.

farrokhi commented 1 month ago

/cc @jedisct1 Am I interpreting this correctly? Should I sign using legacy (non-hahsed) algo?

jedisct1 commented 1 month ago

The above error is likely to be unrelated, and due to a typo in minisign_key.

But yes, using the legacy format is still recommended to support older clients versions.

farrokhi commented 1 month ago

@AndLLA I cannot reproduce this using the config snippet you provided. Have you inspected the content of /var/cache/dnscrypt-proxy/quad9-resolvers.md to ensure it is a fresh copy with new changes?

Following is the output from my local test:

$ dnscrypt-proxy  -config AndLLA-config.toml

[2024-08-08 15:46:14] [NOTICE] dnscrypt-proxy 2.1.5
[2024-08-08 15:46:14] [NOTICE] Network connectivity detected
[2024-08-08 15:46:14] [NOTICE] Now listening to 127.0.0.1:53 [UDP]
[2024-08-08 15:46:14] [NOTICE] Now listening to 127.0.0.1:53 [TCP]
[2024-08-08 15:46:14] [NOTICE] Service is not usable yet
[2024-08-08 15:46:14] [NOTICE] Resolving server host [www.quad9.net] using bootstrap resolvers over udp
[2024-08-08 15:46:16] [NOTICE] Source [quad9-resolvers] loaded
[2024-08-08 15:46:16] [NOTICE] Firefox workaround initialized
[2024-08-08 15:46:21] [NOTICE] [quad9-dnscrypt-ip4-nofilter-alt] OK (DNSCrypt) - rtt: 50ms
[2024-08-08 15:46:21] [NOTICE] [quad9-dnscrypt-ip4-nofilter-alt] OK (DNSCrypt) - rtt: 50ms - additional certificate
[2024-08-08 15:46:21] [NOTICE] [quad9-doh-ip4-port5053-nofilter-ecs-pri] OK (DoH) - rtt: 37ms
[2024-08-08 15:46:22] [NOTICE] [quad9-doh-ip4-port443-nofilter-pri] OK (DoH) - rtt: 40ms
[2024-08-08 15:46:22] [NOTICE] [quad9-doh-ip4-port5053-nofilter-alt] OK (DoH) - rtt: 42ms
[2024-08-08 15:46:22] [NOTICE] [quad9-doh-ip4-port5053-nofilter-ecs-alt] OK (DoH) - rtt: 43ms
[2024-08-08 15:46:22] [NOTICE] [quad9-doh-ip4-port443-nofilter-alt] OK (DoH) - rtt: 56ms
[2024-08-08 15:46:22] [NOTICE] [quad9-doh-ip4-port5053-nofilter-pri] OK (DoH) - rtt: 52ms
[2024-08-08 15:46:22] [NOTICE] [quad9-dnscrypt-ip4-nofilter-pri] OK (DNSCrypt) - rtt: 43ms
[2024-08-08 15:46:22] [NOTICE] [quad9-dnscrypt-ip4-nofilter-pri] OK (DNSCrypt) - rtt: 43ms - additional certificate
[2024-08-08 15:46:22] [NOTICE] [quad9-dnscrypt-ip4-nofilter-ecs-pri] OK (DNSCrypt) - rtt: 48ms
[2024-08-08 15:46:22] [NOTICE] [quad9-dnscrypt-ip4-nofilter-ecs-pri] OK (DNSCrypt) - rtt: 48ms - additional certificate
[2024-08-08 15:46:23] [NOTICE] [quad9-doh-ip4-port443-nofilter-ecs-alt] OK (DoH) - rtt: 137ms
[2024-08-08 15:46:23] [NOTICE] [quad9-doh-ip4-port443-nofilter-ecs-pri] OK (DoH) - rtt: 155ms
[2024-08-08 15:46:28] [NOTICE] [quad9-dnscrypt-ip4-nofilter-ecs-alt] OK (DNSCrypt) - rtt: 47ms
[2024-08-08 15:46:28] [NOTICE] [quad9-dnscrypt-ip4-nofilter-ecs-alt] OK (DNSCrypt) - rtt: 47ms - additional certificate
[2024-08-08 15:46:28] [NOTICE] Sorted latencies:
[2024-08-08 15:46:28] [NOTICE] -    37ms quad9-doh-ip4-port5053-nofilter-ecs-pri
[2024-08-08 15:46:28] [NOTICE] -    40ms quad9-doh-ip4-port443-nofilter-pri
[2024-08-08 15:46:28] [NOTICE] -    42ms quad9-doh-ip4-port5053-nofilter-alt
[2024-08-08 15:46:28] [NOTICE] -    43ms quad9-doh-ip4-port5053-nofilter-ecs-alt
[2024-08-08 15:46:28] [NOTICE] -    43ms quad9-dnscrypt-ip4-nofilter-pri
[2024-08-08 15:46:28] [NOTICE] -    47ms quad9-dnscrypt-ip4-nofilter-ecs-alt
[2024-08-08 15:46:28] [NOTICE] -    48ms quad9-dnscrypt-ip4-nofilter-ecs-pri
[2024-08-08 15:46:28] [NOTICE] -    50ms quad9-dnscrypt-ip4-nofilter-alt
[2024-08-08 15:46:28] [NOTICE] -    52ms quad9-doh-ip4-port5053-nofilter-pri
[2024-08-08 15:46:28] [NOTICE] -    56ms quad9-doh-ip4-port443-nofilter-alt
[2024-08-08 15:46:28] [NOTICE] -   137ms quad9-doh-ip4-port443-nofilter-ecs-alt
[2024-08-08 15:46:28] [NOTICE] -   155ms quad9-doh-ip4-port443-nofilter-ecs-pri
[2024-08-08 15:46:28] [NOTICE] Server with the lowest initial latency: quad9-doh-ip4-port5053-nofilter-ecs-pri (rtt: 37ms)
[2024-08-08 15:46:28] [NOTICE] dnscrypt-proxy is ready - live servers: 12
^C
[2024-08-08 15:46:30] [NOTICE] Stopped.
AndLLA commented 1 month ago

Hello, I just re-installed the rpm (I'm on fedora 40), re-checked the cache folder, cleaned it, but it still fails :( however verifying the signature with minisig by hand works.

I'm running fedora 40 (dnf-updated), this is the dnf info of the package:

Installed Packages Name : dnscrypt-proxy Version : 2.1.5 Release : 4.fc40 Architecture : x86_64 Size : 11 M Source : dnscrypt-proxy-2.1.5-4.fc40.src.rpm Repository : @System From repo : fedora

I don't know if it can help, attached I gen on my end (they are the same as on github)

github.quad9-resolvers.md.minisig.txt github.quad9-resolvers.md.txt quad9-resolvers.md.minisig.txt quad9-resolvers.md.txt

Thanks

AndLLA commented 1 month ago

Hello, update: everything seems to be working if:

However the file provided with the rpm does not work dnscrypt-proxy-2.1.5-4.fc40.aarch64.rpm

At this point I have no idea what fedora released: wow

xbc5 commented 1 month ago

Here's the build info (with build logs).

AndLLA commented 1 month ago

The version of go on f40 I used to re-compile is 1.22.5, while the one in the build-logs is 1.22.0 Is this a go related issue ???

Maybe the maintainer knows ... @gotmax23

farrokhi commented 1 month ago

I reproduced this in Fedora 40. The fedora package version of dnscrypt-proxy 2.1.5 does not seem to like the new signing algorithm. Changing it to legacy signature format solved the problem. @AndLLA Before I merge the changes, would you please test by changing the urls in your dnscrypt-proxy from:

https://www.quad9.net/quad9-resolvers.md

to

https://raw.githubusercontent.com/Quad9DNS/dnscrypt-settings/legacy-sign/dnscrypt/quad9-resolvers.md

This is the same file, but the accompanying signature file is different (this commit)

jedisct1 commented 1 month ago

It's probably that Fedora packaged old versions of the dependencies.

AndLLA commented 1 month ago

Hallo, just tried the legacy-sign and it works with both the fedora packaged and the re-compiled dnscrypt-proxy.

Thanks !!!!

Config: [sources.quad9-resolvers] urls = ['https://raw.githubusercontent.com/Quad9DNS/dnscrypt-settings/legacy-sign/dnscrypt/quad9-resolvers.md'] minisign_key = 'RWTp2E4t64BrL651lEiDLNon+DqzPG4jhZ97pfdNkcq1VDdocLKvl5FW' cache_file = 'cache-quad9-resolvers-legacy.md' refresh_delay = 72 prefix = 'quad9-'

Logs: [2024-08-09 16:34:40] [NOTICE] dnscrypt-proxy 2.1.5 [2024-08-09 16:34:40] [NOTICE] Service is not usable yet [2024-08-09 16:34:40] [NOTICE] Resolving server host [raw.githubusercontent.com] using bootstrap resolvers over udp [2024-08-09 16:34:40] [NOTICE] Source [quad9-resolvers] loaded [2024-08-09 16:34:40] [NOTICE] Loading the set of allowed names from [/etc/dnscrypt-proxy/allowed-names.txt] [2024-08-09 16:34:40] [NOTICE] Firefox workaround initialized [2024-08-09 16:34:40] [NOTICE] Loading the set of blocking rules from [/etc/dnscrypt-proxy/blocked-names.txt] [2024-08-09 16:34:40] [NOTICE] Loading the set of IP blocking rules from [/etc/dnscrypt-proxy/blocked-ips.txt] [2024-08-09 16:34:40] [NOTICE] Advertised cert: [CN=dns.quad9.net,O=Quad9,L=Zurich,ST=Zurich,C=CH] [e3e13daef1fd3012db80b3b002b5d2a7f24a7c8bb82b318694bdcaf061d1ba02] [2024-08-09 16:34:40] [NOTICE] Advertised cert: [CN=DigiCert Global G3 TLS ECC SHA384 2020 CA1,O=DigiCert Inc,C=US] [b01920744bbb76c9ab053e01e07b7e050e473d20f79f7bea435fafe43c9d242f] [2024-08-09 16:34:40] [NOTICE] [quad9-doh-ip4-port443-nofilter-alt] OK (DoH) - rtt: 25ms [2024-08-09 16:34:40] [NOTICE] Advertised cert: [CN=dns.quad9.net,O=Quad9,L=Zurich,ST=Zurich,C=CH] [e3e13daef1fd3012db80b3b002b5d2a7f24a7c8bb82b318694bdcaf061d1ba02] [2024-08-09 16:34:40] [NOTICE] Advertised cert: [CN=DigiCert Global G3 TLS ECC SHA384 2020 CA1,O=DigiCert Inc,C=US] [b01920744bbb76c9ab053e01e07b7e050e473d20f79f7bea435fafe43c9d242f] [2024-08-09 16:34:40] [NOTICE] [quad9-doh-ip4-port443-nofilter-pri] OK (DoH) - rtt: 24ms [2024-08-09 16:34:40] [NOTICE] Advertised cert: [CN=dns.quad9.net,O=Quad9,L=Zurich,ST=Zurich,C=CH] [e3e13daef1fd3012db80b3b002b5d2a7f24a7c8bb82b318694bdcaf061d1ba02] [2024-08-09 16:34:40] [NOTICE] Advertised cert: [CN=DigiCert Global G3 TLS ECC SHA384 2020 CA1,O=DigiCert Inc,C=US] [b01920744bbb76c9ab053e01e07b7e050e473d20f79f7bea435fafe43c9d242f] [2024-08-09 16:34:40] [NOTICE] [quad9-doh-ip4-port443-nofilter-ecs-alt] OK (DoH) - rtt: 24ms [2024-08-09 16:34:41] [NOTICE] Advertised cert: [CN=dns.quad9.net,O=Quad9,L=Zurich,ST=Zurich,C=CH] [e3e13daef1fd3012db80b3b002b5d2a7f24a7c8bb82b318694bdcaf061d1ba02] [2024-08-09 16:34:41] [NOTICE] Advertised cert: [CN=DigiCert Global G3 TLS ECC SHA384 2020 CA1,O=DigiCert Inc,C=US] [b01920744bbb76c9ab053e01e07b7e050e473d20f79f7bea435fafe43c9d242f] [2024-08-09 16:34:41] [NOTICE] [quad9-doh-ip4-port5053-nofilter-ecs-alt] OK (DoH) - rtt: 28ms [2024-08-09 16:34:41] [NOTICE] [quad9-dnscrypt-ip4-nofilter-alt] TIMEOUT [2024-08-09 16:34:41] [NOTICE] Advertised cert: [CN=dns.quad9.net,O=Quad9,L=Zurich,ST=Zurich,C=CH] [e3e13daef1fd3012db80b3b002b5d2a7f24a7c8bb82b318694bdcaf061d1ba02] [2024-08-09 16:34:41] [NOTICE] Advertised cert: [CN=DigiCert Global G3 TLS ECC SHA384 2020 CA1,O=DigiCert Inc,C=US] [b01920744bbb76c9ab053e01e07b7e050e473d20f79f7bea435fafe43c9d242f] [2024-08-09 16:34:41] [NOTICE] [quad9-doh-ip4-port443-nofilter-ecs-pri] OK (DoH) - rtt: 24ms [2024-08-09 16:34:42] [NOTICE] [quad9-dnscrypt-ip4-nofilter-ecs-alt] TIMEOUT [2024-08-09 16:34:42] [NOTICE] Advertised cert: [CN=dns.quad9.net,O=Quad9,L=Zurich,ST=Zurich,C=CH] [e3e13daef1fd3012db80b3b002b5d2a7f24a7c8bb82b318694bdcaf061d1ba02] [2024-08-09 16:34:42] [NOTICE] Advertised cert: [CN=DigiCert Global G3 TLS ECC SHA384 2020 CA1,O=DigiCert Inc,C=US] [b01920744bbb76c9ab053e01e07b7e050e473d20f79f7bea435fafe43c9d242f] [2024-08-09 16:34:42] [NOTICE] [quad9-doh-ip4-port5053-nofilter-pri] OK (DoH) - rtt: 25ms [2024-08-09 16:34:42] [NOTICE] Advertised cert: [CN=dns.quad9.net,O=Quad9,L=Zurich,ST=Zurich,C=CH] [e3e13daef1fd3012db80b3b002b5d2a7f24a7c8bb82b318694bdcaf061d1ba02] [2024-08-09 16:34:42] [NOTICE] Advertised cert: [CN=DigiCert Global G3 TLS ECC SHA384 2020 CA1,O=DigiCert Inc,C=US] [b01920744bbb76c9ab053e01e07b7e050e473d20f79f7bea435fafe43c9d242f] [2024-08-09 16:34:42] [NOTICE] [quad9-doh-ip4-port5053-nofilter-alt] OK (DoH) - rtt: 25ms [2024-08-09 16:34:42] [NOTICE] Advertised cert: [CN=dns.quad9.net,O=Quad9,L=Zurich,ST=Zurich,C=CH] [e3e13daef1fd3012db80b3b002b5d2a7f24a7c8bb82b318694bdcaf061d1ba02] [2024-08-09 16:34:42] [NOTICE] Advertised cert: [CN=DigiCert Global G3 TLS ECC SHA384 2020 CA1,O=DigiCert Inc,C=US] [b01920744bbb76c9ab053e01e07b7e050e473d20f79f7bea435fafe43c9d242f] [2024-08-09 16:34:42] [NOTICE] [quad9-doh-ip4-port5053-nofilter-ecs-pri] OK (DoH) - rtt: 25ms [2024-08-09 16:34:43] [NOTICE] [quad9-dnscrypt-ip4-nofilter-pri] TIMEOUT [2024-08-09 16:34:43] [NOTICE] [quad9-dnscrypt-ip4-nofilter-ecs-pri] TIMEOUT [2024-08-09 16:34:43] [NOTICE] Sorted latencies: [2024-08-09 16:34:43] [NOTICE] - 24ms quad9-doh-ip4-port443-nofilter-pri [2024-08-09 16:34:43] [NOTICE] - 24ms quad9-doh-ip4-port443-nofilter-ecs-alt [2024-08-09 16:34:43] [NOTICE] - 24ms quad9-doh-ip4-port443-nofilter-ecs-pri [2024-08-09 16:34:43] [NOTICE] - 25ms quad9-doh-ip4-port443-nofilter-alt [2024-08-09 16:34:43] [NOTICE] - 25ms quad9-doh-ip4-port5053-nofilter-pri [2024-08-09 16:34:43] [NOTICE] - 25ms quad9-doh-ip4-port5053-nofilter-alt [2024-08-09 16:34:43] [NOTICE] - 25ms quad9-doh-ip4-port5053-nofilter-ecs-pri [2024-08-09 16:34:43] [NOTICE] - 28ms quad9-doh-ip4-port5053-nofilter-ecs-alt [2024-08-09 16:34:43] [NOTICE] Server with the lowest initial latency: quad9-doh-ip4-port443-nofilter-pri (rtt: 24ms)

minisign: minisign -Vm cache-quad9-resolvers-legacy.md -P RWTp2E4t64BrL651lEiDLNon+DqzPG4jhZ97pfdNkcq1VDdocLKvl5FW Signature and comment signature verified Trusted comment: timestamp:1723206106 file:quad9-resolvers.md

farrokhi commented 1 month ago

Excellent. Thank you for your feedback. I merged the changes to the main branch and will update the files on the website. You can now revert your configuration.

xbc5 commented 1 month ago

Just a curiosity I have, is there any real advantage to using the quad9 source directly?

I'd imagine immediate response to changes, and additional security (i.e. original source)?

jedisct1 commented 1 month ago

@xbc5 Not really. The public-resolvers.md file is updated by a script that regularly pulls data from the upstream Quad9 lists.

AndLLA commented 1 month ago

Hello, @jedisct1: which upstream Quad9 lists should I use ?

the main reason I began to use the quad9 source directly is because the one provided by DnsCrypt is not always reliable. For example, if you use public-resolvers.md you get (for quad9-filter):

[2024-08-10 16:37:10] [CRITICAL] [quad9-doh-ip4-port5053-filter-pri] Certificate hash [2a15f5d6acb6e7c0901ade4ebbc743b2ccd489032b46e1642f0693683001258a] not found

Thanks

xbc5 commented 1 month ago

@AndLLA You mean from here? You only really have one choice and that depends upon your needs: e.g. the DoH and DoT are for those specific compatibility modes.

I'd recommend: https://quad9.net/dnscrypt/quad9-resolvers-dnscrypt.md