Comments (8)
ibauersachs
commented on May 27, 2024
Testing all of the resolvers listed at Lifewire gives the following results. Since gmx.net is definitely a signed domain, I'd stay away from all resolvers that don't validate gmx.net (or any other domain) properly. Some of them imply in their name that they manipulate responses (AdGuard, Cleanbrowsing) while OpenDNS is well known for being bogus.
If your internal server is giving you a SERVFAIL, then it could be any of these reasons:
- running an outdated software
- using a forwarding server that manipulates DNS (e.g. OpenDNS, AdGuard, etc.)
- it's misconfigured
Using resolver: 8.8.8.8
---gmx.net.
AD-Flag: true
RCode: NOERROR
Using resolver: 9.9.9.9
---gmx.net.
AD-Flag: true
RCode: NOERROR
Using resolver: 208.67.222.222
---gmx.net.
Apr. 01, 2019 5:53:00 NACHM. org.jitsi.dnssec.validator.DnsSecVerifier verify
INFO: RRset failed to verify due to lack of signatures
AD-Flag: false
RCode: SERVFAIL
Reason: validate.bogus:dnskey.no_ds_match
Using resolver: 1.1.1.1
---gmx.net.
AD-Flag: true
RCode: NOERROR
Using resolver: 185.228.168.9
---gmx.net.
AD-Flag: true
RCode: NOERROR
Using resolver: 64.6.64.6
---gmx.net.
AD-Flag: true
RCode: NOERROR
Using resolver: 198.101.242.72
---gmx.net.
AD-Flag: true
RCode: NOERROR
Using resolver: 176.103.130.130
---gmx.net.
Apr. 01, 2019 5:53:02 NACHM. org.jitsi.dnssec.validator.DnsSecVerifier verify
INFO: RRset failed to verify due to lack of signatures
AD-Flag: false
RCode: SERVFAIL
Reason: validate.bogus.badkey:gmx.net.:failed.ds
Using resolver: 45.33.97.5
---gmx.net.
AD-Flag: true
RCode: NOERROR
Using resolver: 91.239.100.100
---gmx.net.
AD-Flag: true
RCode: NOERROR
Using resolver: 74.82.42.42
---gmx.net.
AD-Flag: true
RCode: NOERROR
Using resolver: 77.88.8.8
---gmx.net.
AD-Flag: true
RCode: NOERROR
Using resolver: 109.69.8.51
---gmx.net.
AD-Flag: true
RCode: NOERROR
from dnssecjava.
mtgag
commented on May 27, 2024
Hi,
thank you very much for your answer. We have analyzed this issue further and I would like to share the results with you. bind has the configuration option minimal-responses. This is configured with the values yes or no. If we configure bind with minimal-responses yes, then we haven't seen any issues. If we configure it with minimal-responses no, then the issue with the missing signature in the authority section appears. We would be grateful if you could consider this option in the project and provide an update for it. Is this possible?
Thank you very much.
Best Regards
Vangelis
from dnssecjava.
ibauersachs
commented on May 27, 2024
Can you please provide examples of a failing and a succeeding responses, e.g. a Wireshark capture or a BIND config to reproduce the queries? Failing this, I'll need at least trace-level log output from a query.
I'm wondering which additional records end up in the Authority section that cannot be validated. RFC 4035 mandates that RRsets in the Authority section need to have corresponding RRSIGs.
from dnssecjava.
mtgag
commented on May 27, 2024
Hello Ingo,
we have provided the wireshark traces per Email.
Best Regards
Vangelis
from dnssecjava.
ibauersachs
commented on May 27, 2024
To which address? I haven't received anything.
from dnssecjava.
ibauersachs
commented on May 27, 2024
Got them now, thanks! It'll take me a while to dive into this.
from dnssecjava.
ibauersachs
commented on May 27, 2024
@mtgag could you please check if #16 fixes this for you?
from dnssecjava.
ibauersachs
commented on May 27, 2024
v1.2.0 which contains this fix is now released to Maven Central.
from dnssecjava.
Related Issues (17)
- Release version 1.0 HOT 8
- mvn target to make a .jar library HOT 2
- Root key rollover support HOT 4
- java.naming.factory.initial ==> DnsSecContextFactory ? HOT 3
- Support of ECDSA key to DNSKEY ? HOT 2
- Leading zeroes in in (r|s)-parameters of ECDSA signature cause validation to fail HOT 14
- nsec3 issue with sgkb.ch HOT 8
- Very old log4j version HOT 5
- Java 6/Java 7 compatible jar HOT 1
- Support more algorithms HOT 5
- Support for dnsjava 3 HOT 1
- TrustAnchorStore lookup method is case sensitive HOT 1
- Release dnssecjava 1.1 with slf4j changes HOT 2
- PatternSyntaxException: Look-behind pattern matches must have a bounded maximum length HOT 6
- Throw an error (or indicate it) on timeout instead of logging HOT 1
- Provide alternative to the resource bundle mechanism HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dnssecjava.