[dns-operations] diagnosis help: keys.openpgp.org, systemd-resolved, DVE-2018-0001

Phil Pennock dnsop+phil at spodhuis.org
Mon Jul 13 19:28:46 UTC 2020


Folks,

This appears to be "systemd-resolved in default config talking to Google
Domains with DNSSEC asking for a non-existent SRV record", and my
thoughts of "if it were this broken, people would be screaming louder
already, so I must be missing something", so I'm going to walk step by
step through the chain.

On my production systems, I use unbound not systemd-resolved;
unbound-anchor on Linux is too buggy to use so I'm stuck with
systemd-resolved on my laptop.

Normally I keep /etc/systemd/resolved.conf saying "DNSSEC=yes" but if
I've been travelling outside my home, I revert it back to its _default_
of "DNSSEC=allow-downgrade".  (Thank you, cellular networks and 464XLAT
breaking DNSSEC).

With GnuPG trying to talk to keys.openpgp.org I was getting generic
error messages from GnuPG; turning dirmngr logs way up, I could get:

  DBG: dns: getsrv(_pgpkey-http._tcp.keys.openpgp.org): Server indicated a failure

With systemd-resolved on its default of allow-downgrade, that matches
this in the resolver logs journal:

  Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP.
  DNSSEC validation failed for question _tcp.keys.openpgp.org IN DS: no-signature
  DNSSEC validation failed for question _tcp.keys.openpgp.org IN SOA: no-signature
  DNSSEC validation failed for question _pgpkey-http._tcp.keys.openpgp.org IN DS: no-signature
  DNSSEC validation failed for question _pgpkey-http._tcp.keys.openpgp.org IN SOA: no-signature
  DNSSEC validation failed for question _pgpkey-http._tcp.keys.openpgp.org IN SRV: no-signature
  DNSSEC validation failed for question _pgpkey-http._tcp.keys.openpgp.org IN TXT: no-signature

An analysis of
  <https://dnsviz.net/d/_pgpkey-http._tcp.keys.openpgp.org/dnssec/>
(with advanced settings used to ask for SRV) shows no DNSSEC complaints.

Upstream from the systemd-resolved process are two current Unbound
servers (1.10.1) and third in the list is also a Knot resolver (5.1.1).

The DNS authoritative servers for openpgp.org are delegating
`keys.openpgp.org` to `ns-cloud-a1.googledomains.com.` and friends (a1
thru a4).

I'm not seeing any misbehavior from the authoritative servers at any
level, but I'm not seeing why the look for something legitimately
returning NXDOMAIN would need to trigger whatever's going on here and
I'm not following the logic at
<https://github.com/dns-violations/dns-violations/blob/master/2018/DVE-2018-0001.md>.

Can someone please explain what I'm missing, or confirm that this really
is a bug and it's just that DNSSEC+SRV+systemd-resolved is still fairly
rare for most?

Thanks,
-Phil


More information about the dns-operations mailing list