[dns-operations] diagnosis help: keys.openpgp.org, systemd-resolved, DVE-2018-0001

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Jul 13 21:21:42 UTC 2020


On Mon, Jul 13, 2020 at 03:28:46PM -0400, Phil Pennock wrote:

> With GnuPG trying to talk to keys.openpgp.org I was getting generic
> error messages from GnuPG; turning dirmngr logs way up, I could get:
> 
>   DBG: dns: getsrv(_pgpkey-http._tcp.keys.openpgp.org): Server indicated a failure
> 
> With systemd-resolved on its default of allow-downgrade, that matches
> this in the resolver logs journal:
> 
>   Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP.
>   DNSSEC validation failed for question _tcp.keys.openpgp.org IN DS: no-signature
>   DNSSEC validation failed for question _tcp.keys.openpgp.org IN SOA: no-signature
>   DNSSEC validation failed for question _pgpkey-http._tcp.keys.openpgp.org IN DS: no-signature
>   DNSSEC validation failed for question _pgpkey-http._tcp.keys.openpgp.org IN SOA: no-signature
>   DNSSEC validation failed for question _pgpkey-http._tcp.keys.openpgp.org IN SRV: no-signature
>   DNSSEC validation failed for question _pgpkey-http._tcp.keys.openpgp.org IN TXT: no-signature
> 
> An analysis of
>   <https://dnsviz.net/d/_pgpkey-http._tcp.keys.openpgp.org/dnssec/>
> (with advanced settings used to ask for SRV) shows no DNSSEC complaints.

It also shows that qname definitively does not exist, with appriate
signatures and NSEC records, ...  But systemd-resolved, in its infinite
wisdom then decides to second-guess that, and retry with DO=0, and then
complains that the answer is unsigned???

At first blush, looks like severe systemd-resolved brain-damage to me.

    https://dilbert.com/strip/1995-06-24

-- 
    Viktor.


More information about the dns-operations mailing list