Closed underdarknl closed 3 months ago
I've verified that the same error message is shown "No trusted keys found in tree" before change https://github.com/minvws/nl-kat-coordination/pull/2917, so that PR is not the cause of the error.
Troubleshooting the issue shows the following:
$ drill -SD -k /usr/share/dns/root.key REDACTED.net @1.1.1.1
;; Number of trusted keys: 1
;; Chasing: REDACTED.net. A
DNSSEC Trust tree:
REDACTED.net. (A)
No trusted keys found in tree: first error was: No DNSSEC public key(s)
;; Chase failed.
When we remove the nameserver check at the end (@1.1.1.1) the chase works like a charm.
drill -SD -k /usr/share/dns/root.key REDACTED.net
;; Number of trusted keys: 1
;; Chasing: REDACTED.net. A
DNSSEC Trust tree:
REDACTED.net. (A)
|---REDACTED.net. (DNSKEY keytag: 7788 alg: 8 flags: 256)
| |---REDACTED.net. (DNSKEY keytag: 49149 alg: 8 flags: 256)
| |---REDACTED.net. (DNSKEY keytag: 49379 alg: 8 flags: 257)
| |---REDACTED.net. (DS keytag: 49379 digest type: 2)
| |---net. (DNSKEY keytag: 51809 alg: 13 flags: 256)
| |---net. (DNSKEY keytag: 37331 alg: 13 flags: 257)
| |---net. (DS keytag: 37331 digest type: 2)
| |---. (DNSKEY keytag: 5613 alg: 8 flags: 256)
| |---. (DNSKEY keytag: 20326 alg: 8 flags: 257)
|---REDACTED.net. (DNSKEY keytag: 49149 alg: 8 flags: 256)
|---REDACTED.net. (DNSKEY keytag: 7788 alg: 8 flags: 256)
|---REDACTED.net. (DNSKEY keytag: 49379 alg: 8 flags: 257)
|---REDACTED.net. (DS keytag: 49379 digest type: 2)
|---net. (DNSKEY keytag: 51809 alg: 13 flags: 256)
|---net. (DNSKEY keytag: 37331 alg: 13 flags: 257)
|---net. (DS keytag: 37331 digest type: 2)
|---. (DNSKEY keytag: 5613 alg: 8 flags: 256)
|---. (DNSKEY keytag: 20326 alg: 8 flags: 257)
;; Chase successful
When trying the chase command against a domain without DNSSEC it gives an error(as expected):
$ drill -SD -k /usr/share/dns/root.key badssl.com
;; Number of trusted keys: 1
;; Chasing: badssl.com. A
DNSSEC Trust tree:
<no data>
No trusted keys found in tree: first error was: No DNSSEC public key(s)
;; Chase failed.
When performing the query against the Google nameservers the dnssec is valid:
$ drill -S -k /usr/share/dns/root.key REDACTED.net @8.8.8.8
;; Number of trusted keys: 1
;; Chasing: REDACTED.net. A
DNSSEC Trust tree:
REDACTED.net. (A)
|---REDACTED.net. (DNSKEY keytag: 7788 alg: 8 flags: 256)
| |---REDACTED.net. (DNSKEY keytag: 49149 alg: 8 flags: 256)
| |---REDACTED.net. (DNSKEY keytag: 49379 alg: 8 flags: 257)
| |---REDACTED.net. (DS keytag: 49379 digest type: 2)
| |---net. (DNSKEY keytag: 51809 alg: 13 flags: 256)
| |---net. (DNSKEY keytag: 37331 alg: 13 flags: 257)
| |---net. (DS keytag: 37331 digest type: 2)
| |---. (DNSKEY keytag: 5613 alg: 8 flags: 256)
| |---. (DNSKEY keytag: 20326 alg: 8 flags: 257)
|---REDACTED.net. (DNSKEY keytag: 49149 alg: 8 flags: 256)
|---REDACTED.net. (DNSKEY keytag: 7788 alg: 8 flags: 256)
|---REDACTED.net. (DNSKEY keytag: 49379 alg: 8 flags: 257)
|---REDACTED.net. (DS keytag: 49379 digest type: 2)
|---net. (DNSKEY keytag: 51809 alg: 13 flags: 256)
|---net. (DNSKEY keytag: 37331 alg: 13 flags: 257)
|---net. (DS keytag: 37331 digest type: 2)
|---. (DNSKEY keytag: 5613 alg: 8 flags: 256)
|---. (DNSKEY keytag: 20326 alg: 8 flags: 257)
;; Chase successful
When performing the query against the Quad9 nameservers, it also gives an invalid dnssec.
$ drill -S -k /usr/share/dns/root.key REDACTED.net @9.9.9.9
;; Number of trusted keys: 1
;; Chasing: REDACTED.net. A
DNSSEC Trust tree:
REDACTED.net. (A)
No trusted keys found in tree: first error was: No DNSSEC public key(s)
;; Chase failed.
There are two solutions:
Can confirm this bug for the domain provided by the owner. What happens is:
The DNS zone RAW file for this domain has the following output:
When manually checking the DNS: