LibreDNS doesn't support DNSSEC #2216

Merged

pilou- merged 1 commits from LibreDNS_doesnt_support_DNSSEC into master 2021-05-04 03:48:04 +00:00

Conversation 0 Commits 1 Files Changed 1 +1 -1

pilou- commented 2021-02-25 18:01:47 +00:00 (Migrated from github.com)

Copy Link

Description

Same as #2146.

I asked on #libreops:matrix.org if DNSSEC is supported by the LibreDNS service, the answer is:

not yet , on our todo list

Tested with the following commands:

$ kdig @116.202.176.26 +tls-host=dot.libredns.gr +dnssec sigfail.verteiltesysteme.net
;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 8416
;; Flags: qr rd ra; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 512 B; ext-rcode: NOERROR

;; QUESTION SECTION:
;; sigfail.verteiltesysteme.net.		IN	A

;; ANSWER SECTION:
sigfail.verteiltesysteme.net.	42	IN	A	134.91.78.139
sigfail.verteiltesysteme.net.	42	IN	RRSIG	A 5 3 60 20210502030010 20210131030010 30665 verteiltesysteme.net. //This+RRSIG+is+deliberately+broken///For+more+information+please+go+to/http+//www+verteiltesysteme+net///////////////////////////////////////////////////////////////////8=

The status is NOERROR and the AD flags is missing but the expected status is SERVAIL.

This unexpected behavior can be tested with another domain:

$ kdig @116.202.176.26 +tls-host=dot.libredns.gr +dnssec www.dnssec-failed.org
;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 62932
;; Flags: qr rd ra; QUERY: 1; ANSWER: 3; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 512 B; ext-rcode: NOERROR

;; QUESTION SECTION:
;; www.dnssec-failed.org.		IN	A

;; ANSWER SECTION:
www.dnssec-failed.org.	4205	IN	A	68.87.109.242
www.dnssec-failed.org.	4205	IN	A	69.252.193.191
www.dnssec-failed.org.	4205	IN	RRSIG	A 5 3 7200 20210314145058 20210225144558 44973 dnssec-failed.org. ugoAA9teSApCHc8De+5hfxrY/BjD9LSE/fguwdMu0zcvtSF6oIS0iLIY1J94nDecv+YA8YAKC2AcRJhpEIjtaFnTKVrKvTEgr1IMjjujxk7GIGolMht+byvWzPlOf/hGZqlwykNkFRm9syu8OB5oshh/keZC0TflGNA+rUNlET8=

Output of the same command using providers with DNSSEC enabled:

$ kdig @9.9.9.9 +tls-host=dns.quad9.net sigfail.verteiltesysteme.net
;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: SERVFAIL; id: 18459
;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 1

;; QUESTION SECTION:
;; sigfail.verteiltesysteme.net.		IN	A

 kdig @45.90.57.121 +tls-host=dot-ch.blahdns.com sigfail.verteiltesysteme.net
;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: SERVFAIL; id: 59870
;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 1

;; QUESTION SECTION:
;; sigfail.verteiltesysteme.net.		IN	A

Check List

• Netlify preview for the mainly edited page:

## Description Same as #2146. I asked on [#libreops:matrix.org](https://riot.im/app/#/room/#libreops:matrix.org) if DNSSEC is supported by the LibreDNS service, the answer is: > [not yet , on our todo list](https://matrix.to/#/!ixcbtfIBdcPeyDEEzR:matrix.org/$161427370750989iDLZN:matrix.org?via=chat.weho.st&via=matrix.org&via=privacytools.io) Tested with the following commands: $ kdig @116.202.176.26 +tls-host=dot.libredns.gr +dnssec sigfail.verteiltesysteme.net ;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM) ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 8416 ;; Flags: qr rd ra; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1 ;; EDNS PSEUDOSECTION: ;; Version: 0; flags: do; UDP size: 512 B; ext-rcode: NOERROR ;; QUESTION SECTION: ;; sigfail.verteiltesysteme.net. IN A ;; ANSWER SECTION: sigfail.verteiltesysteme.net. 42 IN A 134.91.78.139 sigfail.verteiltesysteme.net. 42 IN RRSIG A 5 3 60 20210502030010 20210131030010 30665 verteiltesysteme.net. //This+RRSIG+is+deliberately+broken///For+more+information+please+go+to/http+//www+verteiltesysteme+net///////////////////////////////////////////////////////////////////8= The status is `NOERROR` and the `AD` flags is missing but the expected status is `SERVAIL`. This unexpected behavior can be tested with another domain: ``` $ kdig @116.202.176.26 +tls-host=dot.libredns.gr +dnssec www.dnssec-failed.org ;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM) ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 62932 ;; Flags: qr rd ra; QUERY: 1; ANSWER: 3; AUTHORITY: 0; ADDITIONAL: 1 ;; EDNS PSEUDOSECTION: ;; Version: 0; flags: do; UDP size: 512 B; ext-rcode: NOERROR ;; QUESTION SECTION: ;; www.dnssec-failed.org. IN A ;; ANSWER SECTION: www.dnssec-failed.org. 4205 IN A 68.87.109.242 www.dnssec-failed.org. 4205 IN A 69.252.193.191 www.dnssec-failed.org. 4205 IN RRSIG A 5 3 7200 20210314145058 20210225144558 44973 dnssec-failed.org. ugoAA9teSApCHc8De+5hfxrY/BjD9LSE/fguwdMu0zcvtSF6oIS0iLIY1J94nDecv+YA8YAKC2AcRJhpEIjtaFnTKVrKvTEgr1IMjjujxk7GIGolMht+byvWzPlOf/hGZqlwykNkFRm9syu8OB5oshh/keZC0TflGNA+rUNlET8= ``` Output of the same command using providers with DNSSEC enabled: ``` $ kdig @9.9.9.9 +tls-host=dns.quad9.net sigfail.verteiltesysteme.net ;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM) ;; ->>HEADER<<- opcode: QUERY; status: SERVFAIL; id: 18459 ;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 1 ;; QUESTION SECTION: ;; sigfail.verteiltesysteme.net. IN A ``` ``` kdig @45.90.57.121 +tls-host=dot-ch.blahdns.com sigfail.verteiltesysteme.net ;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM) ;; ->>HEADER<<- opcode: QUERY; status: SERVFAIL; id: 59870 ;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 1 ;; QUESTION SECTION: ;; sigfail.verteiltesysteme.net. IN A ``` #### Check List <!-- Please add an x in each box below, like so: [x] --> * Netlify preview for the mainly edited page: <!-- link or Non Applicable? Edit this in afterwards -->

lynn-stephenson (Migrated from github.com) approved these changes 2021-04-14 23:18:26 +00:00

This repo is archived. You cannot comment on pull requests.

Reviewers

No reviewers

lynn-stephenson

Labels

Clear labels   

🔍🤖 Search Engines

  

approved

approved, waiting for a PR

  

dependencies

Pull requests that update a dependency file

  

duplicate

  

feedback wanted

  

high priority

  

I2P

The Invisible Internet Project (I2P)

  

iOS

  

low priority

  

OS

Operating Systems

  

Self-contained networks

  

Social media

  

stale

A label for stalebot if it gets added

  

streaming

Anything related to media streaming.

  

todo

  

Tor

Anything covering the Tor network

  

WIP

active work in progress, do not merge or PR (yet)!

  

wontfix

Issues or bugs that will not be fixed and/or do not have significant impact on the project.

  

XMPP

Extensible Messaging and Presence Protocol

  

[m]

Matrix protocol

  

₿ cryptocurrency

  

ℹ️ help wanted

  

↔️ file sharing

  

⚙️ web extensions

Browser Extension related issues

  

✨ enhancement

  

❌ software removal

  

💬 discussion

  

🤖 Android

  

🐛 bug

  

💢 conflicting

  

📝 correction

Correction of content on the website

  

🆘 critical

  

📧 email

  

🔒 file encryption

  

📁 file storage

  

🦊 Firefox

Firefox & forks, about:config etc.

  

💻 hardware

  

🌐 hosting

  

🏠 housekeeping

Anything primarily related to site cleanup.

  

🔐 password managers

  

🧰 productivity tools

  

🔎 research required

  

🌐 Social News Aggregators

  

🆕 software suggestion

  

👥 team chat

  

🔒 VPN

Virtual Private Network

  

🌐 website issue

*Technical* issues with the website.

  

🚫 Windows

  

👁️ browsers

  

🖊️ digital notebooks

  

🗄️ DNS

Domain Name System

  

🗨️ instant messaging (im)

  

🇦🇶 translations

Anything covering a translated version of the site

No Label

🔍🤖 Search Engines

approved

dependencies

duplicate

feedback wanted

high priority

I2P

iOS

low priority

OS

Self-contained networks

Social media

stale

streaming

todo

Tor

WIP

wontfix

XMPP

[m]

₿ cryptocurrency

ℹ️ help wanted

↔️ file sharing

⚙️ web extensions

✨ enhancement

❌ software removal

💬 discussion

🤖 Android

🐛 bug

💢 conflicting

📝 correction

🆘 critical

📧 email

🔒 file encryption

📁 file storage

🦊 Firefox

💻 hardware

🌐 hosting

🏠 housekeeping

🔐 password managers

🧰 productivity tools

🔎 research required

🌐 Social News Aggregators

🆕 software suggestion

👥 team chat

🔒 VPN

🌐 website issue

🚫 Windows

👁️ browsers

🖊️ digital notebooks

🗄️ DNS

🗨️ instant messaging (im)

🇦🇶 translations

Milestone

Clear milestone

No items

No Milestone

Assignees

Clear assignees

No Assignees

1 Participants

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: privacyguides/privacytools.io#2216

No description provided.