Error "DNSSEC validation failed due to missing RRSIG for owner name"

[AndrewPaglusch]

I'm running into issues when trying to resolve certain FQDNs. The issue seems sporadic, since one lookup may fail, and subsequent lookups eventually succeed. This has been happening for multiple different domains over the past few days and seems to be related to DNSSEC validation failures.

I'm running Technitium DNS Server version 12.2.1 in Docker on my local network. The DNS server is configured as a forwarder to 4x DNS-over-TLS resolvers (two Cloudflare and two Quad9). Please let me know if I can provide any more information in this issue to aid in troubleshooting.

My first lookup fails (which results in the below error). Running the lookup again a minute later succeeds. If I can capture the output of a dig without the +short flag, I'll post that in place of the below output. It's sometimes difficult for me to reproduce this issue, so it may be a while before I can update this with the full dig output.

$ dig +short dnssec-analyzer.verisignlabs.com
$ dig +short dnssec-analyzer.verisignlabs.com
dnssec-analyzer-verisignlabs.gslb.verisign.com.
209.131.161.48

Error logged:

[2024-08-15 15:50:53 UTC] DNS Server failed to resolve the request 'dnssec-analyzer.verisignlabs.com. A IN' using forwarders: cloudflare-dns.com:853 (1.1.1.1), dns.quad9.net:853 (9.9.9.9), cloudflare-dns.com:853 (1.0.0.1), dns.quad9.net:853 (149.112.112.112).
TechnitiumLibrary.Net.Dns.DnsClientResponseDnssecValidationException: DNSSEC validation failed due to missing RRSIG for owner name: dnssec-analyzer.verisignlabs.com/CNAME
   at TechnitiumLibrary.Net.Dns.DnsClient.DnssecValidateSignatureAsync(DnsDatagram response, IReadOnlyList`1 records, IReadOnlyList`1 dnsKeyRecords, IReadOnlyList`1 unsignedZones, DnssecValidateSignatureParameters parameters, Boolean isAuthoritySection, Boolean isAdditionalSection) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 3002
   at TechnitiumLibrary.Net.Dns.DnsClient.DnssecValidateSignatureAsync(DnsDatagram response, IReadOnlyList`1 dnsKeyRecords, IReadOnlyList`1 unsignedZones) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 2773
   at TechnitiumLibrary.Net.Dns.DnsClient.DnssecValidateResponseAsync(DnsDatagram response, IReadOnlyList`1 lastDSRecords, DnsClient dnsClient, IDnsCache cache, UInt16 udpPayloadSize, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 2609
   at TechnitiumLibrary.Net.Dns.DnsClient.InternalDnssecResolveAsync(DnsQuestionRecord question, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4754
   at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass91_0.<<InternalCachedResolveQueryAsync>b__0>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4840
--- End of stack trace from previous location ---
   at TechnitiumLibrary.Net.Dns.DnsClient.ResolveQueryAsync(DnsQuestionRecord question, Func`2 resolveAsync) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4159
   at TechnitiumLibrary.Net.Dns.DnsClient.InternalCachedResolveQueryAsync(DnsQuestionRecord question, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4822
   at DnsServerCore.Dns.DnsServer.RecursiveResolveAsync(DnsQuestionRecord question, NetworkAddress eDnsClientSubnet, Boolean advancedForwardingClientSubnet, IReadOnlyList`1 conditionalForwarders, Boolean dnssecValidation, Boolean cachePrefetchOperation, Boolean cacheRefreshOperation, Boolean skipDnsAppAuthoritativeRequestHandlers, TaskCompletionSource`1 taskCompletionSource) in Z:\Technitium\Projects\DnsServer\DnsServerCore\Dns\DnsServer.cs:line 3198

Here's the cached entry for this host:

[
  {
    "name": "dnssec-analyzer.verisignlabs.com",
    "type": "A",
    "ttl": "0 (0 sec)",
    "rData": {
      "dataType": "DnsSpecialCacheRecordData",
      "data": "BadCache: NoError; RRSIGsMissing: dnssec-analyzer.verisignlabs.com/CNAME"
    },
    "dnssecStatus": "Unknown",
    "responseMetadata": {
      "nameServer": "dns.quad9.net:853 (9.9.9.9)",
      "protocol": "Tls",
      "datagramSize": "615 bytes",
      "roundTripTime": "15.76 ms"
    },
    "lastUsedOn": "2024-08-15T15:50:53.9287361Z"
  },
  {
    "name": "dnssec-analyzer.verisignlabs.com",
    "type": "CNAME",
    "ttl": "3524 (58 mins 44 sec)",
    "rData": {
      "cname": "dnssec-analyzer-verisignlabs.gslb.verisign.com"
    },
    "dnssecStatus": "Secure",
    "dnssecRecords": [
      "dnssec-analyzer.verisignlabs.com.  3600      IN  RRSIG         5 8 3 3600 1726269605 1723677605 48906 verisignlabs.com. Sxiw1I1NnWaYYC/fcDaOUpS7clGMqMbY1HUOuq+qpY7gPhMrVbqt4PyCDmYGoOQ8UzYKjOPpp2FOt019V1EaFdIGoF9wmHjR2b5oYzwW3RImzTVQXli/xpDIayry+iMWEhaq0nH7pKvupAHCcNHtj0Gf0xZ1r5q2KoPvYa7JWtk="
    ],
    "responseMetadata": {
      "nameServer": "cloudflare-dns.com:853 (1.1.1.1)",
      "protocol": "Tls",
      "datagramSize": "936 bytes",
      "roundTripTime": "75.08 ms"
    },
    "lastUsedOn": "2024-08-15T15:51:50.7096545Z"
  }
]

[ShreyasZare]

Thanks for the post. This issue is related to issue #890. From tests and feedback, its observed that Cloudflare and Quad9 in rare instances return a response with missing RRSIG records which causes the DNSSEC validation to fail. These get cached as failure response and then affects the resolution of the domain names that have a CNAME record. This is another issue with cache, which picks the failure cache entry instead of the CNAME cache entry, that is being fixed in the upcoming update.

[AndrewPaglusch]

Thanks for the explanation @ShreyasZare. I searched for this issue before posting, but apparently not hard enough. Sorry for the duplicate. I'll keep an eye on that other issue from here on.