search

alexdalitz / dnsruby

Dnsruby is a feature-complete DNS(SEC) client for Ruby, as used by many of the world's largest DNS registries and the OpenDNSSEC project
Other
194 stars 77 forks source link

Clarification on trust anchors #186

Closed Carlgo11 closed 4 months ago

Carlgo11 commented 1 year ago

Hi, I'm new to DNSSEC and can't figure out why my requests keep coming back as insecure. I've read the (outdated?) examples, wiki, issues and Google group but I'm no closer to figuring out the problem.

As DLV records seem to be deprecated, I opted for anchoring the DNS Keys for .. Is that not allowed?

My code:

require 'rubygems'
require 'dnsruby'

trusted_key = Dnsruby::RR.create({ name: '.',
                                   type: Dnsruby::Types.DNSKEY,
                                   flags: 256,
                                   protocol: 3,
                                   algorithm: 8,
                                   key: 'AwEAAbF1LAxEQPtClEQno48k6u7JjCOfVfwdENOxQUrX0JbpN5DnKGMAKIfdiWa5oDeKQ3OoQ58yCC8vjtaaGFDgpJxoLwqzhBYHPGFgins5HIERcCQPGAJKWu/ku4XLh+Fu7UyBubDCelxKTbnj26EwbochltRqGIE8hbwSXEzRNo4g+NXkaRMq2FFbaBtEE82yTmZUgFRYAFUvfGTPWblyZGtkepVuHyNb0w/u24dpsz+uyCZZR04cHfRrWOKvqD3lDOwC4+sqd6f7F841R0N2tqSh/WDUZzWdvPBaBOz0FWFLb9porIeZ3Jm08tAMHa+3SGRXfK4RAmxVCmIQQypGabE=' })
Dnsruby::Dnssec.add_trust_anchor(trusted_key)
trusted_key2 = Dnsruby::RR.create({ name: '.',
                                    type: Dnsruby::Types.DNSKEY,
                                    flags: 257,
                                    protocol: 3,
                                    algorithm: 8,
                                    key: 'AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=' })
Dnsruby::Dnssec.add_trust_anchor(trusted_key2)

resolver = Dnsruby::Resolver.new
Dnsruby::Dnssec.default_resolver = resolver
Dnsruby::Dnssec.validation_policy = Dnsruby::Dnssec::ValidationPolicy::ROOT_THEN_LOCAL_ANCHORS
resolver.dnssec = true
resolver.do_validation = true

msg = resolver.query('carlgo11.com', 'A')

puts msg.answer
puts msg.security_level

Output:

carlgo11.com.   184     IN      A       104.21.3.19
carlgo11.com.   184     IN      A       172.67.130.11
carlgo11.com.   184     IN      RRSIG   A ECDSAP256SHA256 2 300 20230605223617 ( 20230603203617 34505 carlgo11.com. Ct6YJvmOmSQqCDrPMsmW6HtcjWcuw6UxxpFXq9DC9jYYapUn6sRidHTmHdaO2kusKXhhmrDoYv0FOv8NX8XhsA== )
INSECURE
alexdalitz commented 1 year ago

Hi -

Thanks for this!

The root keys are encoded in dnsruby. You can run a validation query like this :

dnsruby % ruby -I lib demo/digroot.rb nominet.uk A
;; Answer received from 156.154.103.3 (353 bytes) ;; ;; Security Level : SECURE ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44619 ;; flags: qr aa cd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

OPT pseudo-record : payloadsize 1232, xrcode 0, version 0, flags 32768

;; QUESTION SECTION (1 record) ;; nominet.uk. IN A

;; ANSWER SECTION (2 records) nominet.uk. 300 IN A 162.159.134.42 nominet.uk. 300 IN RRSIG A RSASHA256 2 300 20230705051719 ( 20230531045151 58609 nominet.uk. a0VUvN5sVSEv20q7fx46vyJtnmtu5yWkC6LmKErhsQTcGVWiJhRj9EqaFE5sUKcEdJMZe6b/hN0YB0fYbFSR4aMuPWRX4mhSUHjXSf8+JA0T8LNrEk48sADivahw1O1AhuPQZCCB/K6+0K2rCveINcHRquvHFyQSRxVyYh4vnXGhlWfvxvjH7RBInl1048f5nHQkxdUEDaGvbLSi9qsxcPRy+3kfnwvGrIFxVy47QnZHA6LGLsMzjKmwTW8MUTPsOKIxg60ylOnw7GzJ0XCYX1SxYiNRjZ9R5BA/aTGsOQaNjLrAb/ak1/FygXyftPKdJnFJ9ZEw/C0bcMZgjebH/w== )

I updated OpenSSL support recently, but it seems that I omitted to update the verifiers - hence, querying for your specified domain name may currently raise an error, when used against later versions of OpenSSL. I’m very sorry about that, and will endeavour to fix the verifier as soon as I can possibly find the time.

I hope this helps!

On 4 Jun 2023, at 22:44, Carlgo11 @.***> wrote:

Hi, I'm new to DNSSEC and can't figure out why my requests keep coming back as insecure. I've read the (outdated?) examples, wiki, issues and Google group but I'm no closer to figuring out the problem.

As DLV records seem to be deprecated, I opted for anchoring the DNS Keys for .. Is that not allowed?

My code:

require 'rubygems' require 'dnsruby'

trusted_key = Dnsruby::RR.create({ name: '.', type: Dnsruby::Types.DNSKEY, flags: 256, protocol: 3, algorithm: 8, key: 'AwEAAbF1LAxEQPtClEQno48k6u7JjCOfVfwdENOxQUrX0JbpN5DnKGMAKIfdiWa5oDeKQ3OoQ58yCC8vjtaaGFDgpJxoLwqzhBYHPGFgins5HIERcCQPGAJKWu/ku4XLh+Fu7UyBubDCelxKTbnj26EwbochltRqGIE8hbwSXEzRNo4g+NXkaRMq2FFbaBtEE82yTmZUgFRYAFUvfGTPWblyZGtkepVuHyNb0w/u24dpsz+uyCZZR04cHfRrWOKvqD3lDOwC4+sqd6f7F841R0N2tqSh/WDUZzWdvPBaBOz0FWFLb9porIeZ3Jm08tAMHa+3SGRXfK4RAmxVCmIQQypGabE=' }) Dnsruby::Dnssec.add_trust_anchor(trusted_key) trusted_key2 = Dnsruby::RR.create({ name: '.', type: Dnsruby::Types.DNSKEY, flags: 257, protocol: 3, algorithm: 8, key: 'AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=' }) Dnsruby::Dnssec.add_trust_anchor(trusted_key2)

resolver = Dnsruby::Resolver.new Dnsruby::Dnssec.default_resolver = resolver Dnsruby::Dnssec.validation_policy = Dnsruby::Dnssec::ValidationPolicy::ROOT_THEN_LOCAL_ANCHORS resolver.dnssec = true resolver.do_validation = true

msg = resolver.query('carlgo11.com', 'A')

puts msg.answer puts msg.security_level Output:

carlgo11.com. 184 IN A 104.21.3.19 carlgo11.com. 184 IN A 172.67.130.11 carlgo11.com. 184 IN RRSIG A ECDSAP256SHA256 2 300 20230605223617 ( 20230603203617 34505 carlgo11.com. Ct6YJvmOmSQqCDrPMsmW6HtcjWcuw6UxxpFXq9DC9jYYapUn6sRidHTmHdaO2kusKXhhmrDoYv0FOv8NX8XhsA== ) INSECURE — Reply to this email directly, view it on GitHub https://github.com/alexdalitz/dnsruby/issues/186, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB2WFWQUBPGMHA5EIY3W7A3XJT6VXANCNFSM6AAAAAAY2GB5BU. You are receiving this because you are subscribed to this thread.

Carlgo11 commented 1 year ago

Hello Alex, thanks for your response!

It does indeed look like querying my domain, along with any other domain with DNSSEC from Cloudflare, outputs the OpenSSL error. I also discovered that my VPN drops these requests so that's something I'll have to speak with @mullvad about.

Thanks for your work! I can see you've put a lot of time into this project for many years. Perhaps by setting up a GitHub Sponsors page, us developers using your work could give something back for a change?

alexdalitz commented 1 year ago

Just to be clear - if you use a system with OpenSSL 1.0/1.1, then everything should just work. It’s only using OpenSSL3 onwards, and doing verification as part of the recursion, which will currently exhibit issues.

I’m pretty flat out at the moment, but am hoping to schedule some time on fixing this (and make a new release) next week.

Happily, other than dependency changes (e.g. OpenSSL3), and new protocol additions, dnsruby is a pretty mature library, so I don’t have to put too much time into it these days :-)

Thanks,

Alex.

On 9 Jun 2023, at 00:44, Carlgo11 @.***> wrote:

Hello Alex, thanks for your response!

It does indeed look like querying my domain, along with any other domain with DNSSEC from Cloudflare, outputs the OpenSSL error. I also discovered that my VPN drops these requests so that's something I'll have to speak with @mullvad https://github.com/mullvad about.

Thanks for your work! I can see you've put a lot of time into this project for many years. Perhaps by setting up a GitHub Sponsors page, us developers using your work could give something back for a change?

— Reply to this email directly, view it on GitHub https://github.com/alexdalitz/dnsruby/issues/186#issuecomment-1583610236, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB2WFWQOEKVRMTZLUUJBH5DXKJPVDANCNFSM6AAAAAAY2GB5BU. You are receiving this because you commented.