Errors in log: DnsClientResponseDnssecValidationException

[mocollin]

Hello,

I'm running Dns Server 11.1.1 on Ubuntu Server 22.04.2 LTS in a VM on my Synology. Overall everything is working great and I really like the software.

I'm having an issue with the following errors coming up simi-regularly in my DNS logs. I'm using NextDNS as my forwared resolver. It seems related to DNSSEC not completing because a domain isn't resolved by NextDNS enforcing its own block lists. Which probably occurs regularly. But perhaps should be handled more gracefully in the logs?

Error 1:

[2023-05-21 13:26:10 Local] DNS Server failed to resolve the request 'share.tillys.com. HTTPS IN' using forwarders: https://dns.nextdns.io/xxxxxx/xxxxx (104.238.181.28).
TechnitiumLibrary.Net.Dns.DnsClientResponseDnssecValidationException: DNSSEC validation failed due to missing DS records for owner name: extole.io
   at TechnitiumLibrary.Net.Dns.DnsClient.GetDSForAsync(String ownerName, DnsClass class, IReadOnlyList`1 currentDnsKeyRecords, DnsClient dnsClient, IDnsCache cache, UInt16 udpPayloadSize, DnsDatagram originalResponse, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 3020
   at TechnitiumLibrary.Net.Dns.DnsClient.FindDnsKeyForAsync(String ownerName, DnsClass class, IReadOnlyList`1 currentDnsKeyRecords, DnsClient dnsClient, IDnsCache cache, UInt16 udpPayloadSize, DnsDatagram originalResponse, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 2839
   at TechnitiumLibrary.Net.Dns.DnsClient.DnssecValidateResponseAsync(DnsDatagram response, IReadOnlyList`1 lastDSRecords, DnsClient dnsClient, IDnsCache cache, UInt16 udpPayloadSize, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 2548
   at TechnitiumLibrary.Net.Dns.DnsClient.InternalDnssecResolveAsync(DnsQuestionRecord question, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4387
   at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass76_0.<<InternalCachedResolveQueryAsync>b__0>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4501
--- End of stack trace from previous location ---
   at TechnitiumLibrary.Net.Dns.DnsClient.ResolveQueryAsync(DnsQuestionRecord question, Func`2 resolveAsync) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 3915
   at TechnitiumLibrary.Net.Dns.DnsClient.InternalCachedResolveQueryAsync(DnsQuestionRecord question, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4502
   at DnsServerCore.Dns.DnsServer.RecursiveResolveAsync(DnsQuestionRecord question, NetworkAddress eDnsClientSubnet, Boolean conditionalForwardingClientSubnet, IReadOnlyList`1 conditionalForwarders, Boolean dnssecValidation, Boolean cachePrefetchOperation, Boolean cacheRefreshOperation, Boolean skipDnsAppAuthoritativeRequestHandlers, TaskCompletionSource`1 taskCompletionSource) in Z:\Technitium\Projects\DnsServer\DnsServerCore\Dns\DnsServer.cs:line 2915

And Error 2:

TechnitiumLibrary.Net.Dns.DnsClientResponseDnssecValidationException: Failed to resolve the request 'extole.io. DS IN'. Received a response with RCODE: ServerFailure
   at TechnitiumLibrary.Net.Dns.DnsClient.GetDSForAsync(String ownerName, DnsClass class, IReadOnlyList`1 currentDnsKeyRecords, DnsClient dnsClient, IDnsCache cache, UInt16 udpPayloadSize, DnsDatagram originalResponse, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 3020
   at TechnitiumLibrary.Net.Dns.DnsClient.FindDnsKeyForAsync(String ownerName, DnsClass class, IReadOnlyList`1 currentDnsKeyRecords, DnsClient dnsClient, IDnsCache cache, UInt16 udpPayloadSize, DnsDatagram originalResponse, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 2839
   at TechnitiumLibrary.Net.Dns.DnsClient.DnssecValidateResponseAsync(DnsDatagram response, IReadOnlyList`1 lastDSRecords, DnsClient dnsClient, IDnsCache cache, UInt16 udpPayloadSize, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 2548
   at TechnitiumLibrary.Net.Dns.DnsClient.InternalDnssecResolveAsync(DnsQuestionRecord question, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4387
   at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass76_0.<<InternalCachedResolveQueryAsync>b__0>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4501
--- End of stack trace from previous location ---
   at TechnitiumLibrary.Net.Dns.DnsClient.ResolveQueryAsync(DnsQuestionRecord question, Func`2 resolveAsync) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 3915
   at TechnitiumLibrary.Net.Dns.DnsClient.InternalCachedResolveQueryAsync(DnsQuestionRecord question, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4502
   at DnsServerCore.Dns.DnsServer.RecursiveResolveAsync(DnsQuestionRecord question, NetworkAddress eDnsClientSubnet, Boolean conditionalForwardingClientSubnet, IReadOnlyList`1 conditionalForwarders, Boolean dnssecValidation, Boolean cachePrefetchOperation, Boolean cacheRefreshOperation, Boolean skipDnsAppAuthoritativeRequestHandlers, TaskCompletionSource`1 taskCompletionSource) in Z:\Technitium\Projects\DnsServer\DnsServerCore\Dns\DnsServer.cs:line 2915

[ShreyasZare]

Thanks for the post. It seems to be an issue with NextDNS where its failing to return DS records. However, it works well for other signed domain names. It could be that they are blocking that specific domain name and thus blocking its DS record too thus causing the DNSSEC validation error being logged.

In this case, you can just ignore the error since the domain could be blocked anyways and thus fail to resolve. The other option that is not recommended is to disable DNSSEC validation and fully trust the upstream DNS provider which will stop these errors from being logged.