Closed Carlgo11 closed 4 months ago
Hi -
Thanks for this!
The root keys are encoded in dnsruby. You can run a validation query like this :
dnsruby % ruby -I lib demo/digroot.rb nominet.uk A
;; Answer received from 156.154.103.3 (353 bytes)
;;
;; Security Level : SECURE
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44619
;; flags: qr aa cd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
OPT pseudo-record : payloadsize 1232, xrcode 0, version 0, flags 32768
;; QUESTION SECTION (1 record) ;; nominet.uk. IN A
;; ANSWER SECTION (2 records) nominet.uk. 300 IN A 162.159.134.42 nominet.uk. 300 IN RRSIG A RSASHA256 2 300 20230705051719 ( 20230531045151 58609 nominet.uk. a0VUvN5sVSEv20q7fx46vyJtnmtu5yWkC6LmKErhsQTcGVWiJhRj9EqaFE5sUKcEdJMZe6b/hN0YB0fYbFSR4aMuPWRX4mhSUHjXSf8+JA0T8LNrEk48sADivahw1O1AhuPQZCCB/K6+0K2rCveINcHRquvHFyQSRxVyYh4vnXGhlWfvxvjH7RBInl1048f5nHQkxdUEDaGvbLSi9qsxcPRy+3kfnwvGrIFxVy47QnZHA6LGLsMzjKmwTW8MUTPsOKIxg60ylOnw7GzJ0XCYX1SxYiNRjZ9R5BA/aTGsOQaNjLrAb/ak1/FygXyftPKdJnFJ9ZEw/C0bcMZgjebH/w== )
I updated OpenSSL support recently, but it seems that I omitted to update the verifiers - hence, querying for your specified domain name may currently raise an error, when used against later versions of OpenSSL. I’m very sorry about that, and will endeavour to fix the verifier as soon as I can possibly find the time.
I hope this helps!
On 4 Jun 2023, at 22:44, Carlgo11 @.***> wrote:
Hi, I'm new to DNSSEC and can't figure out why my requests keep coming back as insecure. I've read the (outdated?) examples, wiki, issues and Google group but I'm no closer to figuring out the problem.
As DLV records seem to be deprecated, I opted for anchoring the DNS Keys for .. Is that not allowed?
My code:
require 'rubygems' require 'dnsruby'
trusted_key = Dnsruby::RR.create({ name: '.', type: Dnsruby::Types.DNSKEY, flags: 256, protocol: 3, algorithm: 8, key: 'AwEAAbF1LAxEQPtClEQno48k6u7JjCOfVfwdENOxQUrX0JbpN5DnKGMAKIfdiWa5oDeKQ3OoQ58yCC8vjtaaGFDgpJxoLwqzhBYHPGFgins5HIERcCQPGAJKWu/ku4XLh+Fu7UyBubDCelxKTbnj26EwbochltRqGIE8hbwSXEzRNo4g+NXkaRMq2FFbaBtEE82yTmZUgFRYAFUvfGTPWblyZGtkepVuHyNb0w/u24dpsz+uyCZZR04cHfRrWOKvqD3lDOwC4+sqd6f7F841R0N2tqSh/WDUZzWdvPBaBOz0FWFLb9porIeZ3Jm08tAMHa+3SGRXfK4RAmxVCmIQQypGabE=' }) Dnsruby::Dnssec.add_trust_anchor(trusted_key) trusted_key2 = Dnsruby::RR.create({ name: '.', type: Dnsruby::Types.DNSKEY, flags: 257, protocol: 3, algorithm: 8, key: 'AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=' }) Dnsruby::Dnssec.add_trust_anchor(trusted_key2)
resolver = Dnsruby::Resolver.new Dnsruby::Dnssec.default_resolver = resolver Dnsruby::Dnssec.validation_policy = Dnsruby::Dnssec::ValidationPolicy::ROOT_THEN_LOCAL_ANCHORS resolver.dnssec = true resolver.do_validation = true
msg = resolver.query('carlgo11.com', 'A')
puts msg.answer puts msg.security_level Output:
carlgo11.com. 184 IN A 104.21.3.19 carlgo11.com. 184 IN A 172.67.130.11 carlgo11.com. 184 IN RRSIG A ECDSAP256SHA256 2 300 20230605223617 ( 20230603203617 34505 carlgo11.com. Ct6YJvmOmSQqCDrPMsmW6HtcjWcuw6UxxpFXq9DC9jYYapUn6sRidHTmHdaO2kusKXhhmrDoYv0FOv8NX8XhsA== ) INSECURE — Reply to this email directly, view it on GitHub https://github.com/alexdalitz/dnsruby/issues/186, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB2WFWQUBPGMHA5EIY3W7A3XJT6VXANCNFSM6AAAAAAY2GB5BU. You are receiving this because you are subscribed to this thread.
Hello Alex, thanks for your response!
It does indeed look like querying my domain, along with any other domain with DNSSEC from Cloudflare, outputs the OpenSSL error. I also discovered that my VPN drops these requests so that's something I'll have to speak with @mullvad about.
Thanks for your work! I can see you've put a lot of time into this project for many years. Perhaps by setting up a GitHub Sponsors page, us developers using your work could give something back for a change?
Just to be clear - if you use a system with OpenSSL 1.0/1.1, then everything should just work. It’s only using OpenSSL3 onwards, and doing verification as part of the recursion, which will currently exhibit issues.
I’m pretty flat out at the moment, but am hoping to schedule some time on fixing this (and make a new release) next week.
Happily, other than dependency changes (e.g. OpenSSL3), and new protocol additions, dnsruby is a pretty mature library, so I don’t have to put too much time into it these days :-)
Thanks,
Alex.
On 9 Jun 2023, at 00:44, Carlgo11 @.***> wrote:
Hello Alex, thanks for your response!
It does indeed look like querying my domain, along with any other domain with DNSSEC from Cloudflare, outputs the OpenSSL error. I also discovered that my VPN drops these requests so that's something I'll have to speak with @mullvad https://github.com/mullvad about.
Thanks for your work! I can see you've put a lot of time into this project for many years. Perhaps by setting up a GitHub Sponsors page, us developers using your work could give something back for a change?
— Reply to this email directly, view it on GitHub https://github.com/alexdalitz/dnsruby/issues/186#issuecomment-1583610236, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB2WFWQOEKVRMTZLUUJBH5DXKJPVDANCNFSM6AAAAAAY2GB5BU. You are receiving this because you commented.
Hi, I'm new to DNSSEC and can't figure out why my requests keep coming back as insecure. I've read the (outdated?) examples, wiki, issues and Google group but I'm no closer to figuring out the problem.
As DLV records seem to be deprecated, I opted for anchoring the DNS Keys for
.
. Is that not allowed?My code:
Output: