Skip to content

knot-resolver in forwarding mode tries to incorrectly validate an insecure domain if zone contains rrsigs

The zone digitransit.fi contains expired RRSIGs for a wrong domain (droneinfo.fi). This makes knot-resolver in forwarding mode go bogus for digitransit.fi even though the zone itself should be insecure as no DS is published for it. In non-forwarding mode it works correctly.

(This has been reported to the zone owner and it should be fixed at some point, however it should also work in knot as it is.)

Reproduced on 5.1.2:

verbose(true)
true

> policy.add(policy.all(policy.FORWARD({'8.8.8.8'})))
[cb] => function cb(_, _): 0x40459bb8
[count] => 0
[id] => 0

> [00000.00][plan] plan 'api.digitransit.fi.' type 'A' uid [53271.00]
[53271.00][iter]   'api.digitransit.fi.' type 'A' new uid was assigned .01, parent uid .00
[53271.01][cach]   => trying zone: ., NSEC, hash 0
[53271.01][cach]   => NSEC sname: range search miss (!covers)
[53271.01][cach]   => skipping zone: ., NSEC, hash 0;new TTL -123456789, ret -2
[53271.01][plan]   plan '.' type 'DNSKEY' uid [53271.02]
[53271.02][iter]     '.' type 'DNSKEY' new uid was assigned .03, parent uid .01
[53271.03][cach]     => satisfied by exact RRset: rank 060, new TTL 172736
[53271.03][iter]     <= rcode: NOERROR
[53271.03][vldr]     <= parent: updating DNSKEY
[53271.03][vldr]     <= answer valid, OK
[53271.01][iter]   'api.digitransit.fi.' type 'A' new uid was assigned .04, parent uid .00
[53271.04][plan]   plan 'fi.' type 'DS' uid [53271.05]
[53271.05][iter]     'fi.' type 'DS' new uid was assigned .06, parent uid .04
[53271.06][cach]     => trying zone: ., NSEC, hash 0
[53271.06][cach]     => NSEC sname: range search miss (!covers)
[53271.06][cach]     => skipping zone: ., NSEC, hash 0;new TTL -123456789, ret -2
[     ][nsre] score 21 for 8.8.8.8#00053;	 cached RTT: -1
[53271.06][resl]     => id: '27374' querying: '8.8.8.8#00053' score: 21 zone cut: '.' qname: 'Fi.' qtype: 'DS' proto: 'udp'
[53271.06][iter]     <= rcode: NOERROR
[53271.06][vldr]     <= DS: OK
[53271.06][vldr]     <= parent: updating DS
[53271.06][vldr]     <= answer valid, OK
[53271.06][cach]     => stashed fi. DS, rank 060, 330 B total, incl. 1 RRSIGs
[53271.06][resl]     <= server: '8.8.8.8' rtt: 16 ms
[53271.04][iter]   'api.digitransit.fi.' type 'A' new uid was assigned .07, parent uid .00
[53271.07][plan]   plan 'fi.' type 'DNSKEY' uid [53271.08]
[53271.08][iter]     'fi.' type 'DNSKEY' new uid was assigned .09, parent uid .07
[53271.09][cach]     => trying zone: ., NSEC, hash 0
[53271.09][cach]     => NSEC sname: range search miss (!covers)
[53271.09][cach]     => skipping zone: ., NSEC, hash 0;new TTL -123456789, ret -2
[     ][nsre] score 21 for 8.8.8.8#00053;	 cached RTT: 16
[53271.09][resl]     => id: '49150' querying: '8.8.8.8#00053' score: 21 zone cut: 'fi.' qname: 'fI.' qtype: 'DNSKEY' proto: 'udp'
[53271.09][iter]     <= rcode: NOERROR
[53271.09][vldr]     <= parent: updating DNSKEY
[53271.09][vldr]     <= answer valid, OK
[53271.09][cach]     => stashed fi. DNSKEY, rank 060, 826 B total, incl. 1 RRSIGs
[53271.09][resl]     <= server: '8.8.8.8' rtt: 24 ms
[53271.07][iter]   'api.digitransit.fi.' type 'A' new uid was assigned .10, parent uid .00
[53271.10][plan]   plan 'digitransit.fi.' type 'DS' uid [53271.11]
[53271.11][iter]     'digitransit.fi.' type 'DS' new uid was assigned .12, parent uid .10
[53271.12][cach]     => trying zone: ., NSEC, hash 0
[53271.12][cach]     => NSEC sname: range search miss (!covers)
[53271.12][cach]     => skipping zone: ., NSEC, hash 0;new TTL -123456789, ret -2
[     ][nsre] score 21 for 8.8.8.8#00053;	 cached RTT: 20
[53271.12][resl]     => id: '02617' querying: '8.8.8.8#00053' score: 21 zone cut: 'fi.' qname: 'dIGitRANsIt.FI.' qtype: 'DS' proto: 'udp'
[53271.12][resl]     => id: '02617' querying: '8.8.8.8#00053' score: 21 zone cut: 'fi.' qname: 'dIGitRANsIt.FI.' qtype: 'DS' proto: 'udp'
[53271.12][iter]     <= rcode: NOERROR
[53271.12][vldr]     <= can't prove NODATA due to optout, going insecure
[53271.12][vldr]     <= DS doesn't exist, going insecure
[53271.12][vldr]     <= parent: updating DS
[53271.12][vldr]     <= answer valid, OK
[53271.12][cach]     => stashed fi. SOA, rank 060, 348 B total, incl. 1 RRSIGs
[53271.12][cach]     => stashed packet: rank 060, TTL 1799, DS digitransit.fi. (1160 B)
[53271.12][resl]     <= server: '8.8.8.8' rtt: 40 ms
[53271.10][iter]   'api.digitransit.fi.' type 'A' new uid was assigned .13, parent uid .00
[53271.13][plan]   plan 'digitransit.fi.' type 'NS' uid [53271.14]
[53271.14][iter]     'digitransit.fi.' type 'NS' new uid was assigned .15, parent uid .13
[53271.15][cach]     => trying zone: ., NSEC, hash 0
[53271.15][cach]     => NSEC sname: range search miss (!covers)
[53271.15][cach]     => skipping zone: ., NSEC, hash 0;new TTL -123456789, ret -2
[     ][nsre] score 21 for 8.8.8.8#00053;	 cached RTT: 30
[53271.15][resl]     => id: '11470' querying: '8.8.8.8#00053' score: 21 zone cut: 'fi.' qname: 'diGITrAnSiT.fI.' qtype: 'NS' proto: 'udp'
[53271.15][resl]     => id: '11470' querying: '8.8.8.8#00053' score: 21 zone cut: 'fi.' qname: 'diGITrAnSiT.fI.' qtype: 'NS' proto: 'udp'
[53271.15][iter]     <= rcode: NOERROR
[53271.15][plan]     plan 'digitransit.fi.' type 'DS' uid [53271.16]
[53271.15][vldr]     >< cut changed, needs revalidation
[53271.15][plan]     plan 'droneinfo.fi.' type 'DS' uid [53271.17]
[53271.15][resl]     <= server: '8.8.8.8' rtt: 49 ms
[53271.17][iter]       'droneinfo.fi.' type 'DS' new uid was assigned .18, parent uid .15
[53271.18][cach]       => trying zone: ., NSEC, hash 0
[53271.18][cach]       => NSEC sname: range search miss (!covers)
[53271.18][cach]       => skipping zone: ., NSEC, hash 0;new TTL -123456789, ret -2
[     ][nsre] score 21 for 8.8.8.8#00053;	 cached RTT: 39
[53271.18][resl]       => id: '45800' querying: '8.8.8.8#00053' score: 21 zone cut: 'fi.' qname: 'DRONeiNfo.Fi.' qtype: 'DS' proto: 'udp'
[53271.18][iter]       <= rcode: NOERROR
[53271.18][vldr]       <= DS: OK
[53271.18][vldr]       <= parent: updating DS
[53271.18][vldr]       <= answer valid, OK
[53271.18][cach]       => stashed droneinfo.fi. DS, rank 060, 332 B total, incl. 1 RRSIGs
[53271.18][resl]       <= server: '8.8.8.8' rtt: 28 ms
[53271.16][iter]       'digitransit.fi.' type 'DS' new uid was assigned .19, parent uid .15
[53271.19][cach]       => satisfied by exact packet: rank 060, new TTL 1799
[53271.19][iter]       <= rcode: NOERROR
[53271.19][vldr]       <= DS doesn't exist, going insecure
[53271.19][vldr]       <= parent: updating DS
[53271.19][vldr]       <= answer valid, OK
[53271.15][resl]     => resuming yielded answer
[53271.15][vldr]     >< bogus signatures: digitransit.fi. NS (2 matching RRSIGs, 2 expired, 0 not yet valid, 0 invalid signer, 0 invalid label count, 0 invalid key, 0 invalid crypto, 0 invalid NSEC)
[53271.15][vldr]     >< cut changed (new signer), needs revalidation
[53271.15][resl]     => resuming yielded answer
[53271.15][vldr]     >< bogus signatures: digitransit.fi. NS (2 matching RRSIGs, 2 expired, 0 not yet valid, 0 invalid signer, 0 invalid label count, 0 invalid key, 0 invalid crypto, 0 invalid NSEC)
[53271.15][vldr]     >< cut changed (new signer), needs revalidation
[53271.15][resl]     => resuming yielded answer
[53271.15][vldr]     >< bogus signatures: digitransit.fi. NS (2 matching RRSIGs, 2 expired, 0 not yet valid, 0 invalid signer, 0 invalid label count, 0 invalid key, 0 invalid crypto, 0 invalid NSEC)
[53271.15][vldr]     <= continuous revalidation, fails
[53271.15][cach]     => skipping bogus RR set NS
[53271.15][cach]     => stashed packet: rank 025, TTL 3599, NS digitransit.fi. (471 B)
DNSSEC validation failure digitransit.fi. NS
[53271.15][resl]     finished: 8, queries: 6, mempool: 82000 B
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information