DNSSEC validation not occurring
Knot Resolver does not seem to be validating DNSSEC in my test configuration. Perhaps this is actually expected behavior but it is different from what I observe with other validating DNS servers (1.1.1.1, local unbound instances, resolved).
I am running Knot Resolver version 5.4.2 on Fedora 35 using the distribution provided packages and distribution provided configuration. At the moment this is a single daemon local resolver for testing, in a virtual machine. The server is being queried over the loopback interface. The default configuration will be posted at the end.
Here are some test cases that suggest something is not right:
drill -D sigfail.verteiltesysteme.net @127.0.0.1
[vagrant@fedora knot-resolver]$ drill -D sigfail.verteiltesysteme.net @127.0.0.1
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 17339
;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; sigfail.verteiltesysteme.net. IN A
;; ANSWER SECTION:
sigfail.verteiltesysteme.net. 60 IN A 134.91.78.139
sigfail.verteiltesysteme.net. 60 IN RRSIG A 5 3 60 20220301030001 20211130030001 30665 verteiltesysteme.net. //This+RRSIG+is+deliberately+broken///For+more+information+please+go+to/http+//www+verteiltesysteme+net///////////////////////////////////////////////////////////////////8=
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
;; Query time: 140 msec
;; EDNS: version 0; flags: do ; udp: 1232
;; SERVER: 127.0.0.1
;; WHEN: Tue Dec 7 01:12:33 2021
;; MSG SIZE rcvd: 253
Trace for sigfail.verteiltesysteme.net
[vagrant@fedora knot-resolver]$ drill -DT sigfail.verteiltesysteme.net @127.0.0.1
;; Number of trusted keys: 1
;; Domain: .
[T] . 172800 IN DNSKEY 256 3 8 ;{id = 14748 (zsk), size = 2048b}
. 172800 IN DNSKEY 257 3 8 ;{id = 20326 (ksk), size = 2048b}
Checking if signing key is trusted:
New key: . 172800 IN DNSKEY 256 3 8 AwEAAY+oUaY0b7Z45vRD1ef/GykZqgHJtfdzRcnQNvGVQAqlH22QChtG+n1EMugw7T/6uDBAGlRIkXASdtHXhxStb9lPpyQe5/JIuMIlg+NhxKxEJ5e3J9SSPCavvDhH/BPrBCJwn8b68QAWRjVW6Rgdx63pUm7lfsimiWGMfplHNvcZWgVbKA9OI2o2lU8rT8n7zuwtlZPNpDLSI5GzrJgIiKR2Id16fmAgTJBOw14Xye/t4/BxTdxeMiiVFwA4KUV2VeqspHKSHFOz+lUIIqBRknEmYpSvnxnyi0n1n4tGnGP8z6ZwRACi1Rw0nCu7BGOU9M6LpInRoW/W4KXLODr6xqU= ;{id = 14748 (zsk), size = 2048b}
Trusted key: . 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b}
Trusted key: . 172800 IN DNSKEY 256 3 8 AwEAAY+oUaY0b7Z45vRD1ef/GykZqgHJtfdzRcnQNvGVQAqlH22QChtG+n1EMugw7T/6uDBAGlRIkXASdtHXhxStb9lPpyQe5/JIuMIlg+NhxKxEJ5e3J9SSPCavvDhH/BPrBCJwn8b68QAWRjVW6Rgdx63pUm7lfsimiWGMfplHNvcZWgVbKA9OI2o2lU8rT8n7zuwtlZPNpDLSI5GzrJgIiKR2Id16fmAgTJBOw14Xye/t4/BxTdxeMiiVFwA4KUV2VeqspHKSHFOz+lUIIqBRknEmYpSvnxnyi0n1n4tGnGP8z6ZwRACi1Rw0nCu7BGOU9M6LpInRoW/W4KXLODr6xqU= ;{id = 14748 (zsk), size = 2048b}
Key is now trusted!
Trusted key: . 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b}
[T] net. 86400 IN DS 35886 8 2 7862b27f5f516ebe19680444d4ce5e762981931842c465f00236401d8bd973ee
;; Domain: net.
[T] net. 86400 IN DNSKEY 257 3 8 ;{id = 35886 (ksk), size = 2048b}
net. 86400 IN DNSKEY 256 3 8 ;{id = 40649 (zsk), size = 1280b}
Checking if signing key is trusted:
New key: net. 86400 IN DNSKEY 256 3 8 AQPc+XHppSgsIokAod79sL0jKA4sBuePSLrBBrcQCAJJSpxto7hsQWGUtmk0sFKAoVMrBto4lVpTBvHuDiaE+S98ptvBw7d5llp9dd9bZvX3Z47U+KVEE3zmPT887w+WZ05PDzib7hy+QMg/uug/F+lJTIr+dGXCGvLyuWtvmWqV+hH0BL40DY2Wy4KE04NgfwWU3B5QqjFaVc9TK3R8BHl1 ;{id = 40649 (zsk), size = 1280b}
Trusted key: . 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b}
Trusted key: . 172800 IN DNSKEY 256 3 8 AwEAAY+oUaY0b7Z45vRD1ef/GykZqgHJtfdzRcnQNvGVQAqlH22QChtG+n1EMugw7T/6uDBAGlRIkXASdtHXhxStb9lPpyQe5/JIuMIlg+NhxKxEJ5e3J9SSPCavvDhH/BPrBCJwn8b68QAWRjVW6Rgdx63pUm7lfsimiWGMfplHNvcZWgVbKA9OI2o2lU8rT8n7zuwtlZPNpDLSI5GzrJgIiKR2Id16fmAgTJBOw14Xye/t4/BxTdxeMiiVFwA4KUV2VeqspHKSHFOz+lUIIqBRknEmYpSvnxnyi0n1n4tGnGP8z6ZwRACi1Rw0nCu7BGOU9M6LpInRoW/W4KXLODr6xqU= ;{id = 14748 (zsk), size = 2048b}
Trusted key: . 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b}
Trusted key: net. 86400 IN DNSKEY 257 3 8 AQOYBnzqWXIEj6mlgXg4LWC0HP2n8eK8XqgHlmJ/69iuIHsa1TrHDG6TcOra/pyeGKwH0nKZhTmXSuUFGh9BCNiwVDuyyb6OBGy2Nte9Kr8NwWg4q+zhSoOf4D+gC9dEzg0yFdwT0DKEvmNPt0K4jbQDS4Yimb+uPKuF6yieWWrPYYCrv8C9KC8JMze2uT6NuWBfsl2fDUoV4l65qMww06D7n+p7RbdwWkAZ0fA63mXVXBZF6kpDtsYD7SUB9jhhfLQE/r85bvg3FaSs5Wi2BaqN06SzGWI1DHu7axthIOeHwg00zxlhTpoYCH0ldoQz+S65zWYi/fRJiyLSBb6JZOvn ;{id = 35886 (ksk), size = 2048b}
Trusted key: net. 86400 IN DNSKEY 256 3 8 AQPc+XHppSgsIokAod79sL0jKA4sBuePSLrBBrcQCAJJSpxto7hsQWGUtmk0sFKAoVMrBto4lVpTBvHuDiaE+S98ptvBw7d5llp9dd9bZvX3Z47U+KVEE3zmPT887w+WZ05PDzib7hy+QMg/uug/F+lJTIr+dGXCGvLyuWtvmWqV+hH0BL40DY2Wy4KE04NgfwWU3B5QqjFaVc9TK3R8BHl1 ;{id = 40649 (zsk), size = 1280b}
Key is now trusted!
[T] verteiltesysteme.net. 86400 IN DS 61908 5 1 3497d121f4c91369e95dc73d8032e688e1abb1fe
verteiltesysteme.net. 86400 IN DS 61908 5 2 2f87866a60c3603f447658ac3ea72baec053b7f9f85fa4b531aabe88b06f5aee
;; Domain: verteiltesysteme.net.
[T] verteiltesysteme.net. 3600 IN DNSKEY 257 3 5 ;{id = 61908 (ksk), size = 1024b}
verteiltesysteme.net. 3600 IN DNSKEY 256 3 5 ;{id = 30665 (zsk), size = 1024b}
[T] Existence denied: sigfail.verteiltesysteme.net. DS
;; No ds record for delegation
;; Domain: sigfail.verteiltesysteme.net.
;; No DNSKEY record found for sigfail.verteiltesysteme.net.
[B] sigfail.verteiltesysteme.net. 60 IN A 134.91.78.139
;; Error: Bogus DNSSEC signature
;;[S] self sig OK; [B] bogus; [T] trusted
drill -D sigfail.verteiltesysteme.net @1.1.1.1
[vagrant@fedora knot-resolver]$ drill -D sigfail.verteiltesysteme.net @1.1.1.1
;; ->>HEADER<<- opcode: QUERY, rcode: SERVFAIL, id: 15928
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; sigfail.verteiltesysteme.net. IN A
;; ANSWER SECTION:
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
;; Query time: 347 msec
;; EDNS: version 0; flags: do ; udp: 1232
;; Data: \# 12 000f00020006000f00020016
;; SERVER: 1.1.1.1
;; WHEN: Tue Dec 7 01:16:55 2021
;; MSG SIZE rcvd: 69
As you can see the answers section is empty and the response is a SERVFAIL when querying 1.1.1.1 for this domain with deliberately broken DNSSEC records. I obtain the same results from running a local unbound recursive server and from other public validating DNS servers.
It seems like DNSSEC validation isn't occurring and Knot is going on to return unvalidated data in its response. It's clear from the trace that this domain does not have valid DNSSEC data associated with it. My expectation is that unless I were to disable DNSSEC in knot that it would not return a result for such a domain.
Perhaps there are some configuration items that need to be changed here? I've read the Knot Resolver documentation on DNSSEC validation and it suggests that it is enabled by default and shouldn't require any configuration. I have checked and it appears the trust anchor is loaded so I don't believe that is the issue.
Tested configuration
[vagrant@fedora knot-resolver]$ cat /etc/knot-resolver/kresd.conf
-- SPDX-License-Identifier: CC0-1.0
-- vim:syntax=lua:set ts=4 sw=4:
-- Refer to manual: https://knot-resolver.readthedocs.org/en/stable/
-- Network interface configuration
net.listen('127.0.0.1', 53, { kind = 'dns' })
net.listen('127.0.0.1', 853, { kind = 'tls' })
--net.listen('127.0.0.1', 443, { kind = 'doh2' })
net.listen('::1', 53, { kind = 'dns', freebind = true })
net.listen('::1', 853, { kind = 'tls', freebind = true })
--net.listen('::1', 443, { kind = 'doh2' })
-- Load useful modules
modules = {
'hints < iterate', -- Load /etc/hosts and allow custom root hints
'stats', -- Track internal statistics
'predict', -- Prefetch expiring/frequent records
}
net.ipv6 = false
-- Cache size
cache.size = 100 * MB
Overall I am super impressed with Knot Resolver from a technical perspective. It seems to be incredibly customizable and configurable using a standard language. It's entirely possible I am not understanding what the proper behavior is here, but I feel like I should open an issue in case this is in fact a real problem.