-
Notifications
You must be signed in to change notification settings - Fork 36
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dane validity failed - use validating resolver for DANE existence subtest #1358
Comments
Interesting, I also checked with https://www.huque.com/bin/danecheck-smtp and it fails on the TLSA DNS record:
I also had some issues (no response on The DANE existence is done with a direct query, while the DANE validity check is done with ldns, probably this one performs a different DNS check, resulting in this correct output, but indeed tricky to understand correctly. Internet.nl/checks/tasks/tls.py Lines 1196 to 1210 in a469e4c
So this is the test that done: $ openssl s_client -showcerts -crlf -starttls smtp -connect teachmecoding.club:25 -verify_quiet </dev/null 2>/dev/null \
| ldns-dane -c /dev/stdin -n -T -r 9.9.9.9 verify teachmecoding.club 25
dane_query: The queried resource records were bogus I'm not sure why, but I do sometimes see it succeeds (also on https://www.huque.com/bin/danecheck-smtp):
So it would help a lot if the output of ldns is included in the failure of DANE here. Note to first solve the DNS issue, and then maybe wait 300 seconds (this is your negative response caching TTL) because #1340 is not yet deployed. |
Ok, thank you. I will try to fix DNS issue by contacting to NS authorities. By the way I don't trust the tool https://www.huque.com/bin/danecheck-smtp. Because this site gives me random results. First time it always fail, then i try again |
I'm seeing the same mixed results on my command line when running ldns-dane with 9.9.9.9, so it might be due to the resolver (and e.g. some caching). |
The failure probably has to do with "qname minimization"(RFC 7816) that the Internet.nl-resolver for the "DANE validity" subtest does. In addition see RFC 8020 which states:
The nameservers of teachmecoding.club do not handle "qname minimization" correctly. See DNSviz and the relevant below test result quote. This seems to be the reason why the subtest fails.
Besides, this case also makes clear that something seems to have changed (unintentionally) in the Internet.nl code base. Previously, such a domain namely would already fail on the "DANE existence" subtest. So, apparently the Internet.nl Unbound (that is used for the "DANE existence" subtest) does not do "qnmame minimization" anymore, while ldns (that is used for the "DANE validity" subtest) still does. For comparison:
I suggest to:
Btw not sure why Internet.nl uses ldns. Alternatively, Internet.nl could probably also query DANE TLSA records with Unbound and validate these records with OpenSSL. See: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_dane_enable.html |
I agree to fix #534. |
@gthess Can you please check what is happening here? Thanks! |
I believe this is because of the following change: Internet.nl/checks/tasks/__init__.py Line 30 in a35628f
After the above change, queries are forwarded to a non-validating Unbound which upon encountering the NXDOMAIN, skips qname-minimization as best effort in order to try and resolve the query; which it does. ldns-dane then is configured to use the validating resolver which provides the BOGUS answer. |
Thanks @gthess Interesting that batch is showing the same behaviour as single test. See: https://batch.internet.nl/mail/teachmecoding.club/7964015/#control-panel-28 I expected this change to be part of the Docker release, and thus batch to not show this behaviour (as it currently does not run on Docker). But maybe this change was already present in or backported/copied to the non-Docker. @mxsasha Could you check? |
Pre-docker there was: Internet.nl/checks/tasks/__init__.py Lines 42 to 43 in c5ba541
Defined by: Internet.nl/internetnl/settings-dist.py Line 114 in 2d03c94
Internet.nl/internetnl/settings-dist.py Lines 389 to 394 in 2d03c94
The Since batch currently has the same behavior as docker, probably the unbound conf was changed prior to the dockerization, and the dockerization (this change) itself is correct. The thing to check is the (central) unbound config on batch, and when it was last changed. From the documentation it reads the new Internet.nl/documentation/Docker-DNS.md Lines 5 to 6 in c025ade
|
Following from discussion with @bwbroersma: the DANE checks should use the validating resolver, and not report bogus records, as they do not "count" for DANE. More optimal: report any bogus response from any check in the DNSSEC result, but this is a big overhaul. |
Part of the larger overhaul is in: Agreed to only fix the validating resolver for the DANE existence subtest for now. Only question is, can the resolver change be done as backport (for v1.8.6) or should it be v1.9? |
I have looked into the code, and all the resolving is shared, and the DANE lookup may be performed both as part of do_mail_get_servers() or by the dane check itself. I'm wondering if we should not use the non-validating resolver anyways. I know this was discussed, but I'm not sure about the reasoning to set it up this way. However, I would prefer to pick this up properly as part of #1378, so that we can have one clear way to interact with DNS. |
I believe the reasoning was that even if a domain is DNSSEC bogus, Internet.nl can still run all the other subtests that need DNS lookups. See for example: https://internet.nl/site/servfail.nl/2719028/ Maybe a bit comparable: note that with RPKI invalids Internet.nl is not able to run other subtests (that require connectivity) because our hosting provider is filtering. See for example: https://internet.nl/site/invalid.rpki.isbgpsafeyet.com/2719039/. Since DNSSEC bogus is an exception that should be resolved first before checking other test results, it seems indeed a good idea to simplify our setup and use only a validating resolver, |
The non-validating Unbound context was there to give answers skipping DNSSEC validation altogether. If all the contexts will be replaced by a stub, the stub needs to make sure to activate the CD flag (Checking Disabled) on its queries so that it gets also the bogus data back for other tests to work (like the prechecks and the mail auth test). The AD flag on the response would indicate if DNSSEC validation succeeded or failed. |
Hello,
My domain's DANE validity has failed for both the website and email servers. In previous years, my domain consistently scored 100 and was even featured on the Hall of Fame page. However, this year, something may have changed, and I may have overlooked it or I forget something I changed. Unfortunately, my DANE validation continues to fail, and I'm unsure of the issue. While other tools shows me positive results, I'm perplexed by what's wrong with my domain. Below is the test result:
https://internet.nl/mail/teachmecoding.club/1194082/
Can you help point me in the right direction? I'm using Postfix BTW...
The text was updated successfully, but these errors were encountered: