search

TechnitiumSoftware / DnsServer

Technitium DNS Server
https://technitium.com/dns/
GNU General Public License v3.0
4.47k stars 431 forks source link

Can't resolve specific domains with DNSSEC turned on #977

Closed 9bingyin closed 3 months ago

9bingyin commented 3 months ago

With 1.1.1.1 as the resolver bbs.naixi.net can be resolved normally and DNSSEC validation can be done successfully, but when I use Technitium DNS Server as the recursive resolver, it prompts ServerFailure.

Cloudflare DNS resolution results

root@localhost:~# dig @1.1.1.1 bbs.naixi.net +dnssec

; <<>> DiG 9.18.24-1-Debian <<>> @1.1.1.1 bbs.naixi.net +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44135
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;bbs.naixi.net.                 IN      A

;; ANSWER SECTION:
bbs.naixi.net.          600     IN      CNAME   cname.betamc.net.
bbs.naixi.net.          600     IN      RRSIG   CNAME 13 3 600 20240727102444 20240713102444 11814 naixi.net. 4WfbdwpS+oJzt7xFM4ArfA5/ilV2GH98IbXWuYfO7hS/1AIvA0Yuy7qY 8qMQBnRDqW4SiYBHi2VgRpX067v04Q==
cname.betamc.net.       300     IN      A       104.26.8.227
cname.betamc.net.       300     IN      A       104.26.9.227
cname.betamc.net.       300     IN      A       172.67.73.88
cname.betamc.net.       300     IN      RRSIG   A 13 3 300 20240722121052 20240720101052 34505 betamc.net. T3uEjNWejaC2b7RL/LAV/q2/wXwzn/mRG2XNQ/UBVO85phgv38EnSdqY ty1BrwaWo0I2Aw0nY6L3RzdzqUt7jQ==

;; Query time: 488 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Sun Jul 21 19:10:52 CST 2024
;; MSG SIZE  rcvd: 328

Google DNS resolution results

root@DNS:~# dig @8.8.4.4 +dnssec bbs.naixi.net

; <<>> DiG 9.18.24-1-Debian <<>> @8.8.4.4 +dnssec bbs.naixi.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18713
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;bbs.naixi.net.                 IN      A

;; ANSWER SECTION:
bbs.naixi.net.          600     IN      CNAME   cloudflare-cdn.naixi.net.
bbs.naixi.net.          600     IN      RRSIG   CNAME 13 3 600 20240726214242 20240712214242 11814 naixi.net. el0xVKcV0UpRsRSqL9nH2N3JAL7Fai2WAX17JT5l0thWrB4JjdljWUrS Fn+00+XR64M6ucPSPKSAgjr5gAzxrw==
cloudflare-cdn.naixi.net. 600   IN      CNAME   cname.betamc.net.cdn.cloudflare.net.
cloudflare-cdn.naixi.net. 600   IN      RRSIG   CNAME 13 3 600 20240724041426 20240710041426 11814 naixi.net. u9UhUyEWIoIxsOyK4ZQXh4buaGfi6L13fxawiDr+LguHBVnAR4liXkL6 VKkwySU+pajITwFLeWN9Uqhn6A5i5w==
cname.betamc.net.cdn.cloudflare.net. 300 IN A   104.26.9.227
cname.betamc.net.cdn.cloudflare.net. 300 IN A   172.67.73.88
cname.betamc.net.cdn.cloudflare.net. 300 IN A   104.26.8.227
cname.betamc.net.cdn.cloudflare.net. 300 IN RRSIG A 13 6 300 20240722124054 20240720104054 34505 cloudflare.net. 0DW8zyfZ1hilsr3P2QvK/jNZ6w9uszSP1WIKu37PceBbDcRik4t4olFJ cRdsv7DT5wq4hkwvOpeW3p77mLcemA==

;; Query time: 648 msec
;; SERVER: 8.8.4.4#53(8.8.4.4) (UDP)
;; WHEN: Sun Jul 21 19:40:52 CST 2024
;; MSG SIZE  rcvd: 485

QQ_1721560593919

{
  "Metadata": {
    "NameServer": "localhost:5053 (127.0.0.1)",
    "Protocol": "Udp",
    "DatagramSize": "42 bytes",
    "RoundTripTime": "250.05 ms"
  },
  "EDNS": {
    "UdpPayloadSize": 1232,
    "ExtendedRCODE": "ServerFailure",
    "Version": 0,
    "Flags": "DNSSEC_OK",
    "Options": []
  },
  "DnsClientExtendedErrors": [
    {
      "InfoCode": "NetworkError",
      "ExtraText": "localhost:5053 (127.0.0.1) returned RCODE=ServerFailure for bbs.naixi.net. A IN"
    }
  ],
  "Identifier": 189,
  "IsResponse": true,
  "OPCODE": "StandardQuery",
  "AuthoritativeAnswer": false,
  "Truncation": false,
  "RecursionDesired": true,
  "RecursionAvailable": true,
  "Z": 0,
  "AuthenticData": false,
  "CheckingDisabled": true,
  "RCODE": "ServerFailure",
  "QDCOUNT": 1,
  "ANCOUNT": 0,
  "NSCOUNT": 0,
  "ARCOUNT": 1,
  "Question": [
    {
      "Name": "bbs.naixi.net",
      "Type": "A",
      "Class": "IN"
    }
  ],
  "Answer": [],
  "Authority": [],
  "Additional": [
    {
      "Name": "",
      "Type": "OPT",
      "Class": "1232",
      "TTL": "32768 (9 hours 6 mins 8 sec)",
      "RDLENGTH": "0 bytes",
      "RDATA": {
        "Options": []
      },
      "DnssecStatus": "Indeterminate"
    }
  ]
}
root@localhost:~# dig @127.0.0.1 -p 5053 bbs.naixi.net +dnssec

; <<>> DiG 9.18.24-1-Debian <<>> @127.0.0.1 -p 5053 bbs.naixi.net +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 65482
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;bbs.naixi.net.                 IN      A

;; Query time: 256 msec
;; SERVER: 127.0.0.1#5053(127.0.0.1) (UDP)
;; WHEN: Sun Jul 21 19:18:00 CST 2024
;; MSG SIZE  rcvd: 42

Information in the cache

[
  {
    "name": "bbs.naixi.net",
    "type": "A",
    "ttl": "1 (1 sec)",
    "rData": {
      "dataType": "DnsSpecialCacheRecordData",
      "data": "FailureCache: ServerFailure; DNSKEYMissing: No SEP matching the DS found for naixi.net"
    },
    "dnssecStatus": "Unknown",
    "lastUsedOn": "2024-07-21T11:17:24.2970563Z"
  }
]

After disabling DNSSEC validation, the domain name can be resolved normally, but it will prompt Warning! DNSSEC validation failed due to unable to find a SEP DNSKEY matching the DS for owner name: naixi.net

{
  "Metadata": {
    "NameServer": "localhost:5053 (127.0.0.1)",
    "Protocol": "Udp",
    "DatagramSize": "171 bytes",
    "RoundTripTime": "167.72 ms"
  },
  "EDNS": {
    "UdpPayloadSize": 1232,
    "ExtendedRCODE": "NoError",
    "Version": 0,
    "Flags": "DNSSEC_OK",
    "Options": []
  },
  "DnsClientExtendedErrors": [
    {
      "InfoCode": "DNSKEYMissing",
      "ExtraText": "No SEP matching the DS found for naixi.net"
    }
  ],
  "Identifier": 0,
  "IsResponse": true,
  "OPCODE": "StandardQuery",
  "AuthoritativeAnswer": false,
  "Truncation": false,
  "RecursionDesired": true,
  "RecursionAvailable": true,
  "Z": 0,
  "AuthenticData": false,
  "CheckingDisabled": true,
  "RCODE": "NoError",
  "QDCOUNT": 1,
  "ANCOUNT": 2,
  "NSCOUNT": 1,
  "ARCOUNT": 1,
  "Question": [
    {
      "Name": "naixi.net",
      "Type": "DNSKEY",
      "Class": "IN"
    }
  ],
  "Answer": [
    {
      "Name": "naixi.net",
      "Type": "CNAME",
      "Class": "IN",
      "TTL": "600 (10 mins)",
      "RDLENGTH": "17 bytes",
      "RDATA": {
        "Domain": "cloudflare-cdn.naixi.net"
      },
      "DnssecStatus": "Unknown"
    },
    {
      "Name": "cloudflare-cdn.naixi.net",
      "Type": "CNAME",
      "Class": "IN",
      "TTL": "587 (9 mins 47 sec)",
      "RDLENGTH": "34 bytes",
      "RDATA": {
        "Domain": "cname.betamc.net.cdn.cloudflare.net"
      },
      "DnssecStatus": "Unknown"
    }
  ],
  "Authority": [
    {
      "Name": "cloudflare.net",
      "Type": "SOA",
      "Class": "IN",
      "TTL": "1787 (29 mins 47 sec)",
      "RDLENGTH": "46 bytes",
      "RDATA": {
        "PrimaryNameServer": "ns1.cloudflare.net",
        "ResponsiblePerson": "dns@cloudflare.com",
        "Serial": 2346948311,
        "Refresh": 10000,
        "Retry": 2400,
        "Expire": 604800,
        "Minimum": 1800
      },
      "DnssecStatus": "Unknown"
    }
  ],
  "Additional": [
    {
      "Name": "",
      "Type": "OPT",
      "Class": "1232",
      "TTL": "32768 (9 hours 6 mins 8 sec)",
      "RDLENGTH": "0 bytes",
      "RDATA": {
        "Options": []
      },
      "DnssecStatus": "Unknown"
    }
  ]
}
root@localhost:~# dig @127.0.0.1 -p 5053 bbs.naixi.net +dnssec

; <<>> DiG 9.18.24-1-Debian <<>> @127.0.0.1 -p 5053 bbs.naixi.net +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52608
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;bbs.naixi.net.                 IN      A

;; ANSWER SECTION:
bbs.naixi.net.          456     IN      CNAME   cloudflare-cdn.naixi.net.
cloudflare-cdn.naixi.net. 456   IN      CNAME   cname.betamc.net.cdn.cloudflare.net.
cname.betamc.net.cdn.cloudflare.net. 156 IN A   104.26.9.227
cname.betamc.net.cdn.cloudflare.net. 156 IN A   172.67.73.88
cname.betamc.net.cdn.cloudflare.net. 156 IN A   104.26.8.227

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5053(127.0.0.1) (UDP)
;; WHEN: Sun Jul 21 19:22:18 CST 2024
;; MSG SIZE  rcvd: 165
ShreyasZare commented 3 months ago

Thanks for the post. The domain name is resolving well with DNSSEC validation when using recursive resolver. You can test it here and see that it works. It does not seems to be an issue with the implementation.

It seems that your requests are being hijacked by your ISP which is causing DNSSEC validation to fail. You can see in your own output that bbs.naixi.net points to cname.betamc.net. Whereas in the failing output, its pointing to cloudflare-cdn.naixi.net. This can be confirmed with DNSViz too.

9bingyin commented 3 months ago

Thanks for the post. The domain name is resolving well with DNSSEC validation when using recursive resolver. You can test it here and see that it works. It does not seems to be an issue with the implementation.

It seems that your requests are being hijacked by your ISP which is causing DNSSEC validation to fail. You can see in your own output that bbs.naixi.net points to cname.betamc.net. Whereas in the failing output, its pointing to cloudflare-cdn.naixi.net. This can be confirmed with DNSViz too.

I just changed my post and the inconsistent results seem to be due to the geographic resolution policy of this domain name

I'm using 8.8.4.4 which is resolving the same (since google dns supports ecs)

root@localhost:~# dig @8.8.4.4 +dnssec bbs.naixi.net

; <<>> DiG 9.18.24-1-Debian <<>> @8.8.4.4 +dnssec bbs.naixi.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22041
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;bbs.naixi.net.                 IN      A

;; ANSWER SECTION:
bbs.naixi.net.          600     IN      CNAME   cloudflare-cdn.naixi.net.
bbs.naixi.net.          600     IN      RRSIG   CNAME 13 3 600 20240728193915 20240714193915 11814 naixi.net. edsuzoxAgTeBSWSPvqSZVJJtobyJOGw711wRrwat+XwYodh2YezAg2ue hE7DS24ewfd01UiqN5CfTMMLAgdObw==
cloudflare-cdn.naixi.net. 600   IN      CNAME   cname.betamc.net.cdn.cloudflare.net.
cloudflare-cdn.naixi.net. 600   IN      RRSIG   CNAME 13 3 600 20240724135650 20240710135650 11814 naixi.net. 8GkqAoOuBrmxT7GRYIADG1LmvSA5YjXHe6t9RBCB9jHgmKB9NIFoyl0C LcAK0s2UsWImKIo6v46sBlsMEAH70A==
cname.betamc.net.cdn.cloudflare.net. 300 IN A   172.67.73.88
cname.betamc.net.cdn.cloudflare.net. 300 IN A   104.26.9.227
cname.betamc.net.cdn.cloudflare.net. 300 IN A   104.26.8.227
cname.betamc.net.cdn.cloudflare.net. 300 IN RRSIG A 13 6 300 20240722124842 20240720104842 34505 cloudflare.net. 2v9svM9HCkV5Uvx3/ZJF0VKIS+CH3r2ZLcQ6BgtLR89QklM1IFqeE1iW 1wqxBLvp1L8PyFCapNTEXF9Y8owoKQ==

;; Query time: 316 msec
;; SERVER: 8.8.4.4#53(8.8.4.4) (UDP)
;; WHEN: Sun Jul 21 19:48:42 CST 2024
;; MSG SIZE  rcvd: 485
ShreyasZare commented 3 months ago

I just changed my post and the inconsistent results seem to be due to the geographic resolution policy of this domain name

Ok that's something different but should not cause DNSSEC validation failure. When you are running recursive resolver, for some reason the response is getting altered causing the validation to fail.

You can test this again with the DNS Client that is available on the admin panel with selecting "Recursive Query" as the server. You can also test using 8.8.4.4 too and see if that works.

9bingyin commented 3 months ago

QQ_1721563128342

{
  "Metadata": {
    "NameServer": "localhost:5053 (127.0.0.1)",
    "Protocol": "Udp",
    "DatagramSize": "42 bytes",
    "RoundTripTime": "228.03 ms"
  },
  "EDNS": {
    "UdpPayloadSize": 1232,
    "ExtendedRCODE": "ServerFailure",
    "Version": 0,
    "Flags": "DNSSEC_OK",
    "Options": []
  },
  "DnsClientExtendedErrors": [
    {
      "InfoCode": "NetworkError",
      "ExtraText": "localhost:5053 (127.0.0.1) returned RCODE=ServerFailure for bbs.naixi.net. A IN"
    }
  ],
  "Identifier": 34153,
  "IsResponse": true,
  "OPCODE": "StandardQuery",
  "AuthoritativeAnswer": false,
  "Truncation": false,
  "RecursionDesired": true,
  "RecursionAvailable": true,
  "Z": 0,
  "AuthenticData": false,
  "CheckingDisabled": true,
  "RCODE": "ServerFailure",
  "QDCOUNT": 1,
  "ANCOUNT": 0,
  "NSCOUNT": 0,
  "ARCOUNT": 1,
  "Question": [
    {
      "Name": "bbs.naixi.net",
      "Type": "A",
      "Class": "IN"
    }
  ],
  "Answer": [],
  "Authority": [],
  "Additional": [
    {
      "Name": "",
      "Type": "OPT",
      "Class": "1232",
      "TTL": "32768 (9 hours 6 mins 8 sec)",
      "RDLENGTH": "0 bytes",
      "RDATA": {
        "Options": []
      },
      "DnssecStatus": "Indeterminate"
    }
  ]
}

QQ_1721563155428

{
  "Metadata": {
    "NameServer": "dns.google (8.8.4.4)",
    "Protocol": "Udp",
    "DatagramSize": "485 bytes",
    "RoundTripTime": "161.57 ms"
  },
  "EDNS": {
    "UdpPayloadSize": 512,
    "ExtendedRCODE": "NoError",
    "Version": 0,
    "Flags": "DNSSEC_OK",
    "Options": []
  },
  "Identifier": 0,
  "IsResponse": true,
  "OPCODE": "StandardQuery",
  "AuthoritativeAnswer": false,
  "Truncation": false,
  "RecursionDesired": true,
  "RecursionAvailable": true,
  "Z": 0,
  "AuthenticData": false,
  "CheckingDisabled": true,
  "RCODE": "NoError",
  "QDCOUNT": 1,
  "ANCOUNT": 8,
  "NSCOUNT": 0,
  "ARCOUNT": 1,
  "Question": [
    {
      "Name": "bbs.naixi.net",
      "Type": "A",
      "Class": "IN"
    }
  ],
  "Answer": [
    {
      "Name": "bbs.naixi.net",
      "Type": "CNAME",
      "Class": "IN",
      "TTL": "513 (8 mins 33 sec)",
      "RDLENGTH": "17 bytes",
      "RDATA": {
        "Domain": "cloudflare-cdn.naixi.net"
      },
      "DnssecStatus": "Secure"
    },
    {
      "Name": "bbs.naixi.net",
      "Type": "RRSIG",
      "Class": "IN",
      "TTL": "513 (8 mins 33 sec)",
      "RDLENGTH": "93 bytes",
      "RDATA": {
        "TypeCovered": "CNAME",
        "Algorithm": "ECDSAP256SHA256",
        "Labels": 3,
        "OriginalTtl": 600,
        "SignatureExpiration": "2024-07-28T19:38:41Z",
        "SignatureInception": "2024-07-14T19:38:41Z",
        "KeyTag": 11814,
        "SignersName": "naixi.net",
        "Signature": "avtvhd/tOcUjygdDtEJP5JMGhRQXMvMTDOjkIZF093B6G9IxQ92D2eMcI2rqynswfKdwEUmo+TeZ4TWcxrpacQ=="
      },
      "DnssecStatus": "Secure"
    },
    {
      "Name": "cloudflare-cdn.naixi.net",
      "Type": "CNAME",
      "Class": "IN",
      "TTL": "513 (8 mins 33 sec)",
      "RDLENGTH": "34 bytes",
      "RDATA": {
        "Domain": "cname.betamc.net.cdn.cloudflare.net"
      },
      "DnssecStatus": "Secure"
    },
    {
      "Name": "cloudflare-cdn.naixi.net",
      "Type": "RRSIG",
      "Class": "IN",
      "TTL": "513 (8 mins 33 sec)",
      "RDLENGTH": "93 bytes",
      "RDATA": {
        "TypeCovered": "CNAME",
        "Algorithm": "ECDSAP256SHA256",
        "Labels": 3,
        "OriginalTtl": 600,
        "SignatureExpiration": "2024-07-24T05:58:52Z",
        "SignatureInception": "2024-07-10T05:58:52Z",
        "KeyTag": 11814,
        "SignersName": "naixi.net",
        "Signature": "0U4EuJw1geIARrF9AIgOjHPALVXKqLZMdnmAqTtol0BgWPy7Lj+owfiRIWFpLOlQ4M2h9yLfo1uA2Bdy04E96Q=="
      },
      "DnssecStatus": "Secure"
    },
    {
      "Name": "cname.betamc.net.cdn.cloudflare.net",
      "Type": "A",
      "Class": "IN",
      "TTL": "213 (3 mins 33 sec)",
      "RDLENGTH": "4 bytes",
      "RDATA": {
        "IPAddress": "172.67.73.88"
      },
      "DnssecStatus": "Secure"
    },
    {
      "Name": "cname.betamc.net.cdn.cloudflare.net",
      "Type": "A",
      "Class": "IN",
      "TTL": "213 (3 mins 33 sec)",
      "RDLENGTH": "4 bytes",
      "RDATA": {
        "IPAddress": "104.26.9.227"
      },
      "DnssecStatus": "Secure"
    },
    {
      "Name": "cname.betamc.net.cdn.cloudflare.net",
      "Type": "A",
      "Class": "IN",
      "TTL": "213 (3 mins 33 sec)",
      "RDLENGTH": "4 bytes",
      "RDATA": {
        "IPAddress": "104.26.8.227"
      },
      "DnssecStatus": "Secure"
    },
    {
      "Name": "cname.betamc.net.cdn.cloudflare.net",
      "Type": "RRSIG",
      "Class": "IN",
      "TTL": "213 (3 mins 33 sec)",
      "RDLENGTH": "98 bytes",
      "RDATA": {
        "TypeCovered": "A",
        "Algorithm": "ECDSAP256SHA256",
        "Labels": 6,
        "OriginalTtl": 300,
        "SignatureExpiration": "2024-07-22T12:57:38Z",
        "SignatureInception": "2024-07-20T10:57:38Z",
        "KeyTag": 34505,
        "SignersName": "cloudflare.net",
        "Signature": "P1nivdGvxfKVv1T+TixsVWTczFdBFmp5ApNi610QIf2CgFgboWGl6zvHmKFzC/PEUHKfU4VkrGa0UXxqKfUEvA=="
      },
      "DnssecStatus": "Secure"
    }
  ],
  "Authority": [],
  "Additional": [
    {
      "Name": "",
      "Type": "OPT",
      "Class": "512",
      "TTL": "32768 (9 hours 6 mins 8 sec)",
      "RDLENGTH": "0 bytes",
      "RDATA": {
        "Options": []
      },
      "DnssecStatus": "Indeterminate"
    }
  ]
}
ShreyasZare commented 3 months ago

These tests tell that the validation is working well but due to some network level interference, recursive resolution is failing. There is not much that can be done about it. This is really how DNSSEC is supposed to protect from tampering response.

I would recommend that you configure your local DNS server to use an encrypted DNS forwarder and not rely upon recursive resolution on your network due to possible hijacks.

9bingyin commented 3 months ago

QQ_1721563539042

{
  "EDNS": {
    "UdpPayloadSize": 1232,
    "ExtendedRCODE": "ServerFailure",
    "Version": 0,
    "Flags": "None",
    "Options": [
      {
        "Code": "EXTENDED_DNS_ERROR",
        "Length": "0 bytes",
        "Data": {
          "InfoCode": "DNSKEYMissing",
          "ExtraText": "No SEP matching the DS found for naixi.net"
        }
      }
    ]
  },
  "Identifier": 0,
  "IsResponse": true,
  "OPCODE": "StandardQuery",
  "AuthoritativeAnswer": false,
  "Truncation": false,
  "RecursionDesired": true,
  "RecursionAvailable": true,
  "Z": 0,
  "AuthenticData": false,
  "CheckingDisabled": false,
  "RCODE": "ServerFailure",
  "QDCOUNT": 1,
  "ANCOUNT": 0,
  "NSCOUNT": 0,
  "ARCOUNT": 1,
  "Question": [
    {
      "Name": "naixi.net",
      "Type": "DNSKEY",
      "Class": "IN"
    }
  ],
  "Answer": [],
  "Authority": [],
  "Additional": [
    {
      "Name": "",
      "Type": "OPT",
      "Class": "1232",
      "TTL": "0 (0 sec)",
      "RDLENGTH": "0 bytes",
      "RDATA": {
        "Options": [
          {
            "Code": "EXTENDED_DNS_ERROR",
            "Length": "0 bytes",
            "Data": {
              "InfoCode": "DNSKEYMissing",
              "ExtraText": "No SEP matching the DS found for naixi.net"
            }
          }
        ]
      },
      "DnssecStatus": "Unknown"
    }
  ]
}
ShreyasZare commented 3 months ago

Seems like DNSKEY responses are being modified in network causing this failure.

9bingyin commented 3 months ago

I opened a server in google cloud and installed Technitium DNS Server and tested it with the same ecs and found that Technitium DNS Server resolves fine, thanks to your help I can now determine that it's a network hijacking

The reason I'm using recursive resolution is that there are no reliable DNS services in my area that have DNSSEC turned on (maybe I've found out why they don't turn on DNSSEC)

Anyway, thanks for the help!

ShreyasZare commented 3 months ago

You're welcome!

Just a suggestion, if you are running your own VPS then you can configure DoH server there and then use the DoH endpoint on your local DNS server as forwarder. This way you will get a reliable and secure DNS service of your own.