Invirt Project

invirt-dns returns SERVFAIL for DNSKEY/RRSIG records, breaking some validating resolvers

Bug #1376373 reported by Anders Kaseorg
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Invirt Project
Fix Released
Medium
Mitchell Berger

Bug Description

My DNSSEC validating resolver (dnsmasq-full 2.71-3 with --dnssec --dnssec-check-unsigned on OpenWrt 14.07-rc3) fails to resolve any hosts in the .xvm.mit.edu domain except ns1.

$ dig qsort.xvm.mit.edu @192.168.9.1

; <<>> DiG 9.9.5-4-Ubuntu <<>> qsort.xvm.mit.edu @192.168.9.1
;; global options: +cmd
;; connection timed out; no servers could be reached

I think this is because ns1 is returning SERVFAIL for DNSKEY and RRSIG queries. It should be returning an empty NOERROR response instead.

http://dnssec-debugger.verisignlabs.com/qsort.xvm.mit.edu

See original description
Anders Kaseorg (andersk)
description: updated
Anders Kaseorg (andersk)
description: updated
Revision history for this message
Anders Kaseorg (andersk) wrote :

My router must actually be running dnsmasq v2.71test1. This was fixed in v2.71test2~7:

http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=4872aa747b24238c0859166eaae0ae3d89364244

Revision history for this message
Anders Kaseorg (andersk) wrote :

Unsurprisingly, invirt-dns also SERVFAILs on other record types it doesn’t recognize. Since we don’t explicitly list all of the record types that are recognized, this is probably a Twisted issue.

NOERROR:
A AAAA AFSDB CNAME MX NAPTR NS PTR RP SOA SPF SRV TXT

SERVFAIL:
APL CERT DHCID DLV DNAME DNSKEY DS HIP IPSECKEY KEY KX LOC NSEC NSEC3 NSEC3PARAM RRSIG SIG SSHFP TKEY TLSA TSIG

Revision history for this message
Anders Kaseorg (andersk) wrote :

> This was fixed in v2.71test2~7

Okay, things are a bit more complicated than that. My router really is running v2.71 with that fix. But the there’s a second problem that is not addressed: even though the query eventually succeeds, it takes too long (over 10 seconds), because something is translating the SERVFAILs into timeouts.

This is apparently a difficult problem for dnsmasq to solve. Although it seems stupid for dnsmasq to make DS queries starting in xvm.mit.edu and proceeding up to the root until it finds proof that the record is unsigned, it actually has to work that way, because as a non-recursive forwarder, it doesn’t know exactly where the zone boundaries are. For details, see this message from the author:
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2014q2/008518.html

Bottom line, invirt-dns really should be fixed.

Revision history for this message
Anders Kaseorg (andersk) wrote :

Actually I’m no longer convinced that dnsmasq couldn’t be fixed.
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2014q4/008885.html

(But since OpenWrt 14.07 just released, we might be stuck with this version for a while.)

Revision history for this message
Mitchell Berger (mitchb) wrote :

Proposed fix is running on dev

Changed in invirt:
assignee: nobody → Mitchell Berger (mitchb)
importance: Undecided → Medium
status: New → Fix Committed
Revision history for this message
Mitchell Berger (mitchb) wrote :

Now in prod.

Changed in invirt:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.