Skip to content
Snippets Groups Projects

some validator fixes

Closed some validator fixes
marek/validator-fixes into master
Closed Marek Vavrusa requested to merge marek/validator-fixes into master

There are two issues:

  1. Transition to insecure zone on final name (e.g. wifi.kabel-deutschland.de), it will never try to fetch DS to prove the transition, but keeps asking for RRSIG from the child zone instead.
  2. Validation doesn't work when asking for literal wildcards (e.g. *.cloudflare.com)

Merge request reports

Loading
Loading

Activity

Filter activity
  • Approvals
  • Assignees & reviewers
  • Comments (from bots)
  • Comments (from users)
  • Commits & branches
  • Edits
  • Labels
  • Lock status
  • Mentions
  • Merge request status
  • Tracking
  • Marek Vavrusa
    Marek Vavrusa @vavrusam ·
    Author Reporter

    The test files in deckard will need to be amended as they don't contain responses for DS queries.

  • Grigorii Demidov
    Grigorii Demidov @gdemidov ·
    Contributor

    Thank you.
    (2.) certainly is an error and needs to be fixed.
    But I can't reproduce (1.)
    There is log from current master (d0e32c6f), clear cache - wifi.kabel-deutschland.de. kresd asks for DS. I don't saying there isn't error somewhere, but could you be more illustrative, please? They had some problems with ns01.registrar.kabel-deutschland.de. (it had not been returning correct proof of DS non-existence), but now it seems to be OK.

    Edited by Grigorii Demidov
  • Marek Vavrusa
    Marek Vavrusa @vavrusam ·
    Author Reporter

    Let me get you a better example:

    [    0][plan] plan 'dynamic.kabel-deutschland.de.' type 'A'
[24961][iter]   'dynamic.kabel-deutschland.de.' type 'A' id was assigned, parent id 0
[24961][cach]   => not even root NS in cache, but let's try NSEC
[24961][cach]   => trying zone: .
[24961][cach]   => NSEC sname: range search found inconsistent entry
[24961][resl]   => using root hints
[56727][iter]   'dynamic.kabel-deutschland.de.' type 'A' id was assigned, parent id 0
[56727][resl]   >< TA: '.'
[56727][plan]   plan '.' type 'DNSKEY'
[36823][iter]     '.' type 'DNSKEY' id was assigned, parent id 56727
[36823][cach]     => satisfied by exact RR or CNAME: rank 060, new TTL 172769, scope /0
[36823][iter]     <= rcode: NOERROR
[36823][vldr]     <= parent: updating DNSKEY
[36823][vldr]     <= answer valid, OK
[ 6869][iter]   'dynamic.kabel-deutschland.de.' type 'A' id was assigned, parent id 0
[ 6869][resl]   => querying: '192.203.230.10' score: 10 zone cut: '.' qname: 'de.' qtype: 'NS' proto: 'udp'
[ 6869][iter]   <= loaded 6 glue addresses
[ 6869][iter]   <= referral response, follow
[ 6869][vldr]   >< failed to validate but skipping: de. NS
[ 6869][vldr]   <= DS: OK
[ 6869][vldr]   <= answer valid, OK
[ 6869][cach]   => stashed rank: 060, DS de., scoped: 0 (330 B total, incl. 1 RRSIGs)
[ 6869][cach]   => stashed rank: 002, NS de., scoped: 0 (87 B total, incl. 0 RRSIGs)
[ 6869][cach]   => stashed also 11 nonauth RRsets
[ 6869][resl]   <= server: '192.203.230.10' rtt: 63 ms
[31577][iter]   'dynamic.kabel-deutschland.de.' type 'A' id was assigned, parent id 0
[31577][plan]   plan 'de.' type 'DNSKEY'
[14151][iter]     'de.' type 'DNSKEY' id was assigned, parent id 31577
[14151][cach]     => trying zone: de.
[14151][cach]     => NSEC sname: range search miss (!nsec_in_zone)
[14151][resl]     => querying: '194.246.96.1' score: 10 zone cut: 'de.' qname: 'De.' qtype: 'DNSKEY' proto: 'udp'
[14151][iter]     <= rcode: NOERROR
[14151][vldr]     <= parent: updating DNSKEY
[14151][vldr]     <= answer valid, OK
[14151][cach]     => stashed rank: 060, DNSKEY de., scoped: 0 (837 B total, incl. 1 RRSIGs)
[14151][resl]     <= server: '194.246.96.1' rtt: 86 ms
[47724][iter]   'dynamic.kabel-deutschland.de.' type 'A' id was assigned, parent id 0
[47724][resl]   => querying: '195.243.137.26' score: 10 zone cut: 'de.' qname: 'KaBEL-deUtSchLAnD.DE.' qtype: 'NS' proto: 'udp'
[47724][resl]   => querying: '194.146.107.6' score: 10 zone cut: 'de.' qname: 'KaBEL-deUtSchLAnD.DE.' qtype: 'NS' proto: 'udp'
[47724][iter]   <= loaded 2 glue addresses
[47724][iter]   <= referral response, follow
[47724][vldr]   >< failed to validate but skipping: kabel-deutschland.de. NS
[47724][vldr]   <= DS: OK
[47724][vldr]   <= answer valid, OK
[47724][cach]   => stashed rank: 060, DS kabel-deutschland.de., scoped: 0 (205 B total, incl. 1 RRSIGs)
[47724][cach]   => stashed rank: 002, NS kabel-deutschland.de., scoped: 0 (93 B total, incl. 0 RRSIGs)
[47724][cach]   => stashed also 4 nonauth RRsets
[47724][resl]   <= server: '195.243.137.26' rtt: 211 ms
[47724][resl]   <= server: '194.146.107.6' rtt: >= 11 ms
[26461][iter]   'dynamic.kabel-deutschland.de.' type 'A' id was assigned, parent id 0
[26461][plan]   plan 'kabel-deutschland.de.' type 'DNSKEY'
[54088][iter]     'kabel-deutschland.de.' type 'DNSKEY' id was assigned, parent id 26461
[54088][cach]     => trying zone: kabel-deutschland.de.
[54088][cach]     => NSEC sname: range search miss (!nsec_in_zone)
[54088][resl]     => querying: '83.169.185.44' score: 10 zone cut: 'kabel-deutschland.de.' qname: 'KABeL-DEuTSChlAnd.dE.' qtype: 'DNSKEY' proto: 'udp'
[54088][iter]     <= rcode: NOERROR
[54088][vldr]     <= parent: updating DNSKEY
[54088][vldr]     <= answer valid, OK
[54088][cach]     => stashed rank: 060, DNSKEY kabel-deutschland.de., scoped: 0 (191 B total, incl. 1 RRSIGs)
[54088][resl]     <= server: '83.169.185.44' rtt: 160 ms
[16973][iter]   'dynamic.kabel-deutschland.de.' type 'A' id was assigned, parent id 0
[16973][resl]   => querying: '83.169.184.44' score: 10 zone cut: 'kabel-deutschland.de.' qname: 'dynAmIc.KaBeL-dEutschland.de.' qtype: 'A' proto: 'udp'
[16973][iter]   <= rcode: NOERROR
[16973][vldr]   >< cut changed, needs revalidation
[16973][resl]   <= server: '83.169.184.44' rtt: 214 ms
[16973][resl]   => resuming yielded answer
[16973][vldr]   >< no valid RRSIGs found for dynamic.kabel-deutschland.de. A
[16973][plan]   plan 'dynamic.kabel-deutschland.de.' type 'RRSIG'
[37485][iter]     'dynamic.kabel-deutschland.de.' type 'RRSIG' id was assigned, parent id 16973
[37485][resl]     => querying: '83.169.185.44' score: 160 zone cut: 'kabel-deutschland.de.' qname: 'dyNAmiC.KaBel-deUtsChLAND.De.' qtype: 'RRSIG' proto: 'udp'
[37485][iter]     <= rcode: NOTIMPL
[37485][vldr]     >< cut changed, needs revalidation
[37485][resl]     <= server: '83.169.185.44' rtt: 168 ms
[37485][resl]     => resuming yielded answer
[37485][vldr]     <= answer valid, OK
[61105][iter]     'dynamic.kabel-deutschland.de.' type 'RRSIG' id was assigned, parent id 16973
[61105][resl]     => querying: '83.169.185.44' score: 164 zone cut: 'kabel-deutschland.de.' qname: 'Dynamic.kAbEl-DeuTschlAND.De.' qtype: 'RRSIG' proto: 'udp'
[61105][iter]     <= rcode: NOTIMPL
[61105][vldr]     >< cut changed, needs revalidation
[61105][resl]     => resuming yielded answer
[61105][vldr]     <= answer valid, OK
[62969][iter]     'dynamic.kabel-deutschland.de.' type 'RRSIG' id was assigned, parent id 16973
[62969][resl]     => querying: '83.169.185.44' score: 164 zone cut: 'kabel-deutschland.de.' qname: 'dynamic.kabel-deutschland.de.' qtype: 'RRSIG' proto: 'udp'
[62969][resl]     => querying: '83.169.184.44' score: 164 zone cut: 'kabel-deutschland.de.' qname: 'dynamic.kabel-deutschland.de.' qtype: 'RRSIG' proto: 'udp'
[62969][iter]     <= rcode: NOTIMPL
[62969][resl]     => server: '83.169.185.44' flagged as 'bad'
[42862][iter]     'dynamic.kabel-deutschland.de.' type 'RRSIG' id was assigned, parent id 16973
[42862][resl]     => querying: '83.169.184.44' score: 214 zone cut: 'kabel-deutschland.de.' qname: 'dynamic.kabel-deutschland.de.' qtype: 'RRSIG' proto: 'udp'
[42862][iter]     <= rcode: NOTIMPL
[42862][resl]     => server: '83.169.184.44' flagged as 'bad'
[55564][iter]     'dynamic.kabel-deutschland.de.' type 'RRSIG' id was assigned, parent id 16973
[55564][resl]     => no NS with an address
[26608][iter]     'dynamic.kabel-deutschland.de.' type 'RRSIG' id was assigned, parent id 16973
[26608][resl]     => no NS with an address
[16973][resl]   => resuming yielded answer
[16973][vldr]   >< no valid RRSIGs found for dynamic.kabel-deutschland.de. A
[16973][plan]   plan 'dynamic.kabel-deutschland.de.' type 'RRSIG'
[34094][iter]     'dynamic.kabel-deutschland.de.' type 'RRSIG' id was assigned, parent id 16973
[34094][resl]     => querying: '83.169.185.44' score: 794 zone cut: 'kabel-deutschland.de.' qname: 'DyNamIC.KabeL-DeuTschLAnd.dE.' qtype: 'RRSIG' proto: 'udp'
[34094][iter]     <= rcode: NOTIMPL
[34094][vldr]     >< cut changed, needs revalidation
[34094][resl]     <= server: '83.169.185.44' rtt: 170 ms
[34094][resl]     => resuming yielded answer
[34094][vldr]     <= answer valid, OK
[   54][iter]     'dynamic.kabel-deutschland.de.' type 'RRSIG' id was assigned, parent id 16973
[   54][resl]     => querying: '83.169.185.44' score: 482 zone cut: 'kabel-deutschland.de.' qname: 'DyNamIc.kAbEL-deUTscHLANd.De.' qtype: 'RRSIG' proto: 'udp'
[   54][iter]     <= rcode: NOTIMPL
[   54][vldr]     >< cut changed, needs revalidation
[   54][resl]     => resuming yielded answer
[   54][vldr]     <= answer valid, OK
[44117][iter]     'dynamic.kabel-deutschland.de.' type 'RRSIG' id was assigned, parent id 16973
[44117][resl]     => querying: '83.169.185.44' score: 482 zone cut: 'kabel-deutschland.de.' qname: 'dynamic.kabel-deutschland.de.' qtype: 'RRSIG' proto: 'udp'
[44117][iter]     <= rcode: NOTIMPL
[44117][resl]     => server: '83.169.185.44' flagged as 'bad'
[45261][iter]     'dynamic.kabel-deutschland.de.' type 'RRSIG' id was assigned, parent id 16973
[45261][resl]     => querying: '83.169.184.44' score: 819 zone cut: 'kabel-deutschland.de.' qname: 'dynamic.kabel-deutschland.de.' qtype: 'RRSIG' proto: 'udp'
[45261][iter]     <= rcode: NOTIMPL
[45261][resl]     => server: '83.169.184.44' flagged as 'bad'
[41859][iter]     'dynamic.kabel-deutschland.de.' type 'RRSIG' id was assigned, parent id 16973
[41859][resl]     => no NS with an address
[35200][iter]     'dynamic.kabel-deutschland.de.' type 'RRSIG' id was assigned, parent id 16973
[35200][resl]     => no NS with an address
[16973][resl]   => resuming yielded answer
[16973][vldr]   <= continuous revalidation, fails
[16973][cach]   => stashed rank: 027, A dynamic.kabel-deutschland.de., scoped: 0 (21 B total, incl. 0 RRSIGs)
[16973][cach]   => stashed packet: rank 025, TTL 86400, A dynamic.kabel-deutschland.de. (86 B)
[16973][resl]   finished: 8, queries: 5, mempool: 49200 B

    (The loop for RRSIGs isn't correct, if the answer comes without signatures, the resolver should first check if it didn't transition to insecure zone first by querying for DS)

  • Grigorii Demidov
    Grigorii Demidov @gdemidov ·
    Contributor

    Yes, kresd failed to validate it and this is a problem. Unfortunately, your MR fixes this case but breaks another, which is OK in current master - www.nic.mx A with name minimization turned off. We will split your MR into two parts. Correction for wildcard validation must be merged anyway. Regarding to the validation of the secure->insecure zone transition - i will open the issue.

    Edited by Grigorii Demidov
  • Grigorii Demidov mentioned in issue #376 (closed)

    mentioned in issue #376 (closed)

  • Vladimír Čunát
    Vladimír Čunát @vcunat ·
    Owner

    Cross-ref: the wildcard fix got merged as !606 (merged).

  • Grigorii Demidov
    Grigorii Demidov @gdemidov ·
    Contributor

    @vavrusam Take a look at !607 (merged), please.

  • Grigorii Demidov
    Grigorii Demidov @gdemidov ·
    Contributor

    Partially merged.

  • Grigorii Demidov closed

    closed

Please register or sign in to reply