[dns-operations] diagnosis help: keys.openpgp.org, systemd-resolved, DVE-2018-0001
Viktor Dukhovni
ietf-dane at dukhovni.org
Mon Jul 13 21:21:42 UTC 2020
On Mon, Jul 13, 2020 at 03:28:46PM -0400, Phil Pennock wrote:
> With GnuPG trying to talk to keys.openpgp.org I was getting generic
> error messages from GnuPG; turning dirmngr logs way up, I could get:
>
> DBG: dns: getsrv(_pgpkey-http._tcp.keys.openpgp.org): Server indicated a failure
>
> With systemd-resolved on its default of allow-downgrade, that matches
> this in the resolver logs journal:
>
> Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP.
> DNSSEC validation failed for question _tcp.keys.openpgp.org IN DS: no-signature
> DNSSEC validation failed for question _tcp.keys.openpgp.org IN SOA: no-signature
> DNSSEC validation failed for question _pgpkey-http._tcp.keys.openpgp.org IN DS: no-signature
> DNSSEC validation failed for question _pgpkey-http._tcp.keys.openpgp.org IN SOA: no-signature
> DNSSEC validation failed for question _pgpkey-http._tcp.keys.openpgp.org IN SRV: no-signature
> DNSSEC validation failed for question _pgpkey-http._tcp.keys.openpgp.org IN TXT: no-signature
>
> An analysis of
> <https://dnsviz.net/d/_pgpkey-http._tcp.keys.openpgp.org/dnssec/>
> (with advanced settings used to ask for SRV) shows no DNSSEC complaints.
It also shows that qname definitively does not exist, with appriate
signatures and NSEC records, ... But systemd-resolved, in its infinite
wisdom then decides to second-guess that, and retry with DO=0, and then
complains that the answer is unsigned???
At first blush, looks like severe systemd-resolved brain-damage to me.
https://dilbert.com/strip/1995-06-24
--
Viktor.
More information about the dns-operations
mailing list