-
Notifications
You must be signed in to change notification settings - Fork 41
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DNSSEC validation is failing #127
Comments
Hi, thanks for the bug report! I'll look into this as soon as I can. Might take a week or two, as I have some deadlines coming up on Sept 30 and Oct 1. |
Thank you for looking into this. |
Any update? |
Haven't had a chance yet, been busy with a refactor of another part of the ncdns codebase (specifically certinject). That refactor is nearing completion, so hopefully will get to this soon. |
So, it's been almost an year... I checked again HEAD and the validation is still failing. |
Apologies for the delay, things have been busy here. Might be able to look at it after the v0.2.2 release is finished (which should be within the next week). Alas, there is not much funding available at the moment for me to work on DNSSEC-related things, so things that actually do have funding (e.g. TLS stuff) have been consuming my time. |
Hi @rnhmjoj, According to RFC 4034 Sec. 5:
Given this, I'm a bit confused why pdns-recursor is issuing a That said, RFC 4035 Appendix B.8 says that the correct behavior for ncdns when a resolver makes this error is to return |
This is taking longer than hoped to fix, mainly because integration tests for the fix are difficult to get right. That said, I am making progress; hoping to have news next week. |
I wouldn't really know as I'm not a expert on DNS. I guess I'll forward the question to the pdns-recursors devs.
Great! Thank you for the working on this. |
Should be easier to do integration tests once #160 is done. |
I've tried to enable DNSSEC as described in the README.md
but the validation of .bit domains is failing. It looks like the DS record at the bit. zone is empty.
This is a trace from pdns-recursor (a recursive name server) that's showing the failure:
As you can see ncdns is returning a Form Error. This is a problem because starting with version 4.3.3, pdns-recursor
treats it as a SERVFAIL, which completely breaks the bit. zone.
This is the configuration I've been using for testing:
The text was updated successfully, but these errors were encountered: