search

TechnitiumSoftware / DnsServer

Technitium DNS Server
https://technitium.com/dns/
GNU General Public License v3.0
3.86k stars 401 forks source link

Weird RRSIGs Missing error #737

Closed fmiqbal closed 9 months ago

fmiqbal commented 9 months ago

Out of the blue I can't resolve docker.io domain

this is the log

[2023-09-18 02:32:17 UTC] DNS Server failed to resolve the request 'registry-1.docker.io. A IN' using forwarders: 192.168.54.14.
TechnitiumLibrary.Net.Dns.DnsClientResponseDnssecValidationException: Failed to resolve the request 'io. DS IN'. Received a response with RCODE: ServerFailure
   at TechnitiumLibrary.Net.Dns.DnsClient.GetDSForAsync(String ownerName, DnsClass class, IReadOnlyList`1 currentDnsKeyRecords, DnsClient dnsClient, IDnsCache cache, UInt16 udpPayloadSize, DnsDatagram originalResponse, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 3062
   at TechnitiumLibrary.Net.Dns.DnsClient.FindDnsKeyForAsync(String ownerName, DnsClass class, IReadOnlyList`1 currentDnsKeyRecords, DnsClient dnsClient, IDnsCache cache, UInt16 udpPayloadSize, DnsDatagram originalResponse, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 2881
   at TechnitiumLibrary.Net.Dns.DnsClient.DnssecValidateResponseAsync(DnsDatagram response, IReadOnlyList`1 lastDSRecords, DnsClient dnsClient, IDnsCache cache, UInt16 udpPayloadSize, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 2587
   at TechnitiumLibrary.Net.Dns.DnsClient.InternalDnssecResolveAsync(DnsQuestionRecord question, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4438
   at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass76_0.<<InternalCachedResolveQueryAsync>b__0>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4588
--- End of stack trace from previous location ---
   at TechnitiumLibrary.Net.Dns.DnsClient.ResolveQueryAsync(DnsQuestionRecord question, Func`2 resolveAsync) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 3960
   at TechnitiumLibrary.Net.Dns.DnsClient.InternalCachedResolveQueryAsync(DnsQuestionRecord question, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4589
   at DnsServerCore.Dns.DnsServer.RecursiveResolveAsync(DnsQuestionRecord question, NetworkAddress eDnsClientSubnet, Boolean conditionalForwardingClientSubnet, IReadOnlyList`1 conditionalForwarders, Boolean dnssecValidation, Boolean cachePrefetchOperation, Boolean cacheRefreshOperation, Boolean skipDnsAppAuthoritativeRequestHandlers, TaskCompletionSource`1 taskCompletionSource) in Z:\Technitium\Projects\DnsServer\DnsServerCore\Dns\DnsServer.cs:line 2965

this is the resolve result

{
  "Metadata": {
    "NameServer": "dns-server (127.0.0.1)",
    "Protocol": "Udp",
    "DatagramSize": "55 bytes",
    "RoundTripTime": "21.3 ms"
  },
  "EDNS": {
    "UdpPayloadSize": 1232,
    "ExtendedRCODE": "ServerFailure",
    "Version": 0,
    "Flags": "None",
    "Options": [
      {
        "Code": "EXTENDED_DNS_ERROR",
        "Length": "7 bytes",
        "Data": {
          "InfoCode": "RRSIGsMissing",
          "ExtraText": "io/DS"
        }
      },
      {
        "Code": "EXTENDED_DNS_ERROR",
        "Length": "2 bytes",
        "Data": {
          "InfoCode": "CachedError",
          "ExtraText": null
        }
      }
    ]
  },
  "DnsClientExtendedErrors": [
    {
      "InfoCode": "NetworkError",
      "ExtraText": "dns-server (127.0.0.1) returned RCODE=ServerFailure for docker.io. A IN"
    }
  ],
  "Identifier": 236,
  "IsResponse": true,
  "OPCODE": "StandardQuery",
  "AuthoritativeAnswer": false,
  "Truncation": false,
  "RecursionDesired": true,
  "RecursionAvailable": true,
  "Z": 0,
  "AuthenticData": false,
  "CheckingDisabled": true,
  "RCODE": "ServerFailure",
  "QDCOUNT": 1,
  "ANCOUNT": 0,
  "NSCOUNT": 0,
  "ARCOUNT": 1,
  "Question": [
    {
      "Name": "docker.io",
      "Type": "A",
      "Class": "IN"
    }
  ],
  "Answer": [],
  "Authority": [],
  "Additional": [
    {
      "Name": "",
      "Type": "OPT",
      "Class": "1232",
      "TTL": "0 (0 sec)",
      "RDLENGTH": "17 bytes",
      "RDATA": {
        "Options": [
          {
            "Code": "EXTENDED_DNS_ERROR",
            "Length": "7 bytes",
            "Data": {
              "InfoCode": "RRSIGsMissing",
              "ExtraText": "io/DS"
            }
          },
          {
            "Code": "EXTENDED_DNS_ERROR",
            "Length": "2 bytes",
            "Data": {
              "InfoCode": "CachedError",
              "ExtraText": null
            }
          }
        ]
      },
      "DnssecStatus": "Disabled"
    }
  ]
}

I didnt quite understand about this part of dns knowledge, but a little bit digging I think the issue is with the .io domain ?

I basically run technitium dns server inside docker container, and have default fwd to 192.168.54.14 (our network-wide dns server), all other domain (I think is good) except all from .io domain, so here is the result of resolving .io domain to my server

{
  "Metadata": {
    "NameServer": "dns-server (127.0.0.1)",
    "Protocol": "Udp",
    "DatagramSize": "48 bytes",
    "RoundTripTime": "0.58 ms"
  },
  "EDNS": {
    "UdpPayloadSize": 1232,
    "ExtendedRCODE": "ServerFailure",
    "Version": 0,
    "Flags": "None",
    "Options": [
      {
        "Code": "EXTENDED_DNS_ERROR",
        "Length": "7 bytes",
        "Data": {
          "InfoCode": "RRSIGsMissing",
          "ExtraText": "io/DS"
        }
      },
      {
        "Code": "EXTENDED_DNS_ERROR",
        "Length": "2 bytes",
        "Data": {
          "InfoCode": "CachedError",
          "ExtraText": null
        }
      }
    ]
  },
  "DnsClientExtendedErrors": [
    {
      "InfoCode": "NetworkError",
      "ExtraText": "dns-server (127.0.0.1) returned RCODE=ServerFailure for io. A IN"
    }
  ],
  "Identifier": 54925,
  "IsResponse": true,
  "OPCODE": "StandardQuery",
  "AuthoritativeAnswer": false,
  "Truncation": false,
  "RecursionDesired": true,
  "RecursionAvailable": true,
  "Z": 0,
  "AuthenticData": false,
  "CheckingDisabled": false,
  "RCODE": "ServerFailure",
  "QDCOUNT": 1,
  "ANCOUNT": 0,
  "NSCOUNT": 0,
  "ARCOUNT": 1,
  "Question": [
    {
      "Name": "io",
      "Type": "A",
      "Class": "IN"
    }
  ],
  "Answer": [],
  "Authority": [],
  "Additional": [
    {
      "Name": "",
      "Type": "OPT",
      "Class": "1232",
      "TTL": "0 (0 sec)",
      "RDLENGTH": "17 bytes",
      "RDATA": {
        "Options": [
          {
            "Code": "EXTENDED_DNS_ERROR",
            "Length": "7 bytes",
            "Data": {
              "InfoCode": "RRSIGsMissing",
              "ExtraText": "io/DS"
            }
          },
          {
            "Code": "EXTENDED_DNS_ERROR",
            "Length": "2 bytes",
            "Data": {
              "InfoCode": "CachedError",
              "ExtraText": null
            }
          }
        ]
      },
      "DnssecStatus": "Disabled"
    }
  ]
}

even though if I resolve using the forwarder its good (192.168.54.14)

{
  "Metadata": {
    "NameServer": "a2.nic.io (65.22.163.17)",
    "Protocol": "Udp",
    "DatagramSize": "97 bytes",
    "RoundTripTime": "82.84 ms"
  },
  "EDNS": {
    "UdpPayloadSize": 1232,
    "ExtendedRCODE": "NoError",
    "Version": 0,
    "Flags": "None",
    "Options": []
  },
  "Identifier": 0,
  "IsResponse": true,
  "OPCODE": "StandardQuery",
  "AuthoritativeAnswer": true,
  "Truncation": false,
  "RecursionDesired": false,
  "RecursionAvailable": false,
  "Z": 0,
  "AuthenticData": false,
  "CheckingDisabled": false,
  "RCODE": "NoError",
  "QDCOUNT": 1,
  "ANCOUNT": 0,
  "NSCOUNT": 1,
  "ARCOUNT": 1,
  "Question": [
    {
      "Name": "io",
      "Type": "A",
      "Class": "IN"
    }
  ],
  "Answer": [],
  "Authority": [
    {
      "Name": "io",
      "Type": "SOA",
      "Class": "IN",
      "TTL": "3600 (1 hour)",
      "RDLENGTH": "54 bytes",
      "RDATA": {
        "PrimaryNameServer": "a0.nic.io",
        "ResponsiblePerson": "hostmaster@donuts.email",
        "Serial": 1695003876,
        "Refresh": 7200,
        "Retry": 900,
        "Expire": 1209600,
        "Minimum": 3600
      },
      "DnssecStatus": "Disabled"
    }
  ],
  "Additional": [
    {
      "Name": "",
      "Type": "OPT",
      "Class": "1232",
      "TTL": "0 (0 sec)",
      "RDLENGTH": "0 bytes",
      "RDATA": {
        "Options": []
      },
      "DnssecStatus": "Disabled"
    }
  ]
}

For now I use conditionally forwarded zone to setup all .io domain to fwd to the resolver

image

ShreyasZare commented 9 months ago

Thanks for the post. The issue is due to the DNS server failing to validate DNSSEC since the upstream DNS server (192.168.54.14, your network wide DNS server) is not returning RRSIG records. You need to check with the upstream DNS server as to why its blocking DNSSEC related records.

It worked when you used the DNS Client directly with the upstream DNS server since you did not enable DNSSEC Validation checkbox while testing. Try again with DNSSEC validation and you should see the same error.

The conditional forwarder zone you have with DNSSEC validation disabled will make it work but its just disabling security. That is, the DNS server is correctly detecting that your upstream is tampering with DNSSEC response and in return you disabled DNSSEC.

fmiqbal commented 9 months ago

Ok thank you, indeed the upstream DNS Server doesn't have DNSSEC, and I think the setting page on technitium has DNSSEC enabled, weirdly I think I never change the settings, and it works before (but I don't exactly know if the upstream DNS disabled the DNSSEC just yesterday, or it always been disabled)

but for now, i've disabled the DNSSEC setting in technitium.

thanks for your assistance