unbound 1.7.3 - Verified that unsigned response is INSECURE

Jochen_Becker · October 30, 2018, 9:19am

Hi unbound users

I am new to dns, new to unbound and new to the list, so please bear with me.

My setup:

dedicated machine to run as a caching resolver in my LAN

ubuntu server 18.10

unbound 1.7.3

This is my unbound.conf

server:
# chroot: "/etc/unbound"
username: "unbound"
directory: "/etc/unbound"
port: 53
do-ip4: yes
do-ip6: no
do-tcp: yes
do-udp: no
# do-udp: yes
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt

interface: 0.0.0.0
interface-automatic: yes
access-control: x.y.z.0/24 allow # some private class c net

root-hints: "root.hints"
prefetch: yes
prefetch-key: yes
use-caps-for-id: yes
statistics-interval: 600
statistics-cumulative: yes
hide-identity: yes
hide-version: yes
verbosity: 2

minimal-responses: yes
rrset-roundrobin: yes
ssl-upstream: yes

forward-zone:
name: "."
forward-tls-upstream: yes

forward-addr: 146.185.167.43@853#dot.securedns.eu
forward-addr: 185.49.141.37@853#getdnsapi.net
forward-addr: 89.233.43.71@853#unicast.censurfridns.dk

According to my configuration I would have expected to have both, DNSSEC
and TLS-encryption switched on. The following dig proves this:

$ sudo dig de. SOA

; <<>> DiG 9.11.4-3ubuntu5-Ubuntu <<>> de. SOA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19839
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;de. IN SOA

;; ANSWER SECTION:
de. 7174 IN SOA f.nic.de. its.denic.de. 2018103033
7200 7200 3600000 7200

;; Query time: 356 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Di Okt 30 08:32:15 UTC 2018
;; MSG SIZE rcvd: 83

unbound logs look like that:

Okt 30 08:32:15 dnsserver1 unbound[718]: [718:0] info: resolving de. SOA IN
Okt 30 08:32:15 dnsserver1 unbound[718]: [718:0] info: response for de.
SOA IN
Okt 30 08:32:15 dnsserver1 unbound[718]: [718:0] info: reply from <.>
146.185.167.43#853
Okt 30 08:32:15 dnsserver1 unbound[718]: [718:0] info: query response
was ANSWER
Okt 30 08:32:15 dnsserver1 unbound[718]: [718:0] info: validated DS de.
DS IN
Okt 30 08:32:15 dnsserver1 unbound[718]: [718:0] info: resolving de.
DNSKEY IN
Okt 30 08:32:15 dnsserver1 unbound[718]: [718:0] info: response for de.
DNSKEY IN
Okt 30 08:32:15 dnsserver1 unbound[718]: [718:0] info: reply from <.>
185.49.141.37#853
Okt 30 08:32:15 dnsserver1 unbound[718]: [718:0] info: query response
was ANSWER
Okt 30 08:32:15 dnsserver1 unbound[718]: [718:0] info: validated DNSKEY
de. DNSKEY IN
Okt 30 08:32:15 dnsserver1 unbound[718]: [718:0] info:
validate(positive): sec_status_secure
Okt 30 08:32:15 dnsserver1 unbound[718]: [718:0] info: validation
success de. SOA IN

This is what I had expected.

However, most of the time my logs show lines like these below for
example after a dig like

$ sudo dig ubuntuusers.de SOA +dnssec

; <<>> DiG 9.11.4-3ubuntu5-Ubuntu <<>> ubuntuusers.de SOA +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35576
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;ubuntuusers.de. IN SOA

;; ANSWER SECTION:
ubuntuusers.de. 86294 IN SOA ubuntuusers.de.
webmaster.ubuntuusers.de. 2006072320 10000 3600 2419200 1200

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Di Okt 30 08:38:33 UTC 2018
;; MSG SIZE rcvd: 89
$

This is what unbound logs:

Okt 30 08:36:47 dnsserver1 unbound[718]: [718:0] info: resolving
ubuntuusers.de. SOA IN
Okt 30 08:36:47 dnsserver1 unbound[718]: [718:0] info: response for
ubuntuusers.de. SOA IN
Okt 30 08:36:47 dnsserver1 unbound[718]: [718:0] info: reply from <.>
185.49.141.37#853
Okt 30 08:36:47 dnsserver1 unbound[718]: [718:0] info: query response
was ANSWER
Okt 30 08:36:47 dnsserver1 unbound[718]: [718:0] info: resolving
ubuntuusers.de. DS IN
Okt 30 08:36:47 dnsserver1 unbound[718]: [718:0] info: response for
ubuntuusers.de. DS IN
Okt 30 08:36:47 dnsserver1 unbound[718]: [718:0] info: reply from <.>
146.185.167.43#853
Okt 30 08:36:47 dnsserver1 unbound[718]: [718:0] info: query response
was nodata ANSWER
Okt 30 08:36:47 dnsserver1 unbound[718]: [718:0] info: NSEC3s for the
referral proved no DS.
Okt 30 08:36:47 dnsserver1 unbound[718]: [718:0] info: Verified that
unsigned response is INSECURE

To me, this looks like no DNSSEC and maybe no TLS-encryption, though I
see the #853s .

What is going wrong here?

Thanks for your help.

Jaap · October 30, 2018, 9:55am

Jochen Becker via Unbound-users writes:

> To me, this looks like no DNSSEC and maybe no TLS-encryption, though I
> see the #853s .
>
> What is going wrong here?

Nothing. The domain ubuntuusers.de is unsigned.

jaap

Jochen_Becker · October 30, 2018, 1:52pm

Jaap

Thanks for coming back so quickly. Your answer raised a lot more
questions ...
But as I do not want to bother you with too many silly questions, is
there any documentation available, you could possibly point me to? I do
know your web-site, though.

Apparently there seems to be a misunderstanding at my end, e. g. where
is the point of validation if the majority of domains are not signed?
Just checked signin.ebay.de and signin.ebay.com, not signed.

Okt 30 10:15:24 dnsserver1 unbound[718]: [718:0] info: resolving
sigin.ebay.com. SOA IN
Okt 30 10:15:24 dnsserver1 unbound[718]: [718:0] info: response for
sigin.ebay.com. SOA IN
Okt 30 10:15:24 dnsserver1 unbound[718]: [718:0] info: reply from <.>
146.185.167.43#853
Okt 30 10:15:24 dnsserver1 unbound[718]: [718:0] info: query response
was NXDOMAIN ANSWER
Okt 30 10:15:24 dnsserver1 unbound[718]: [718:0] info: resolving
ebay.com. DS IN
Okt 30 10:15:25 dnsserver1 unbound[718]: [718:0] info: response for
ebay.com. DS IN
Okt 30 10:15:25 dnsserver1 unbound[718]: [718:0] info: reply from <.>
89.233.43.71#853
Okt 30 10:15:25 dnsserver1 unbound[718]: [718:0] info: query response
was nodata ANSWER
Okt 30 10:15:25 dnsserver1 unbound[718]: [718:0] info: NSEC3s for the
referral proved no DS.
Okt 30 10:15:25 dnsserver1 unbound[718]: [718:0] info: Verified that
unsigned response is INSECURE

Neither are a couple of banks nor akamai nor googleapis.com, all unsigned.

In my current (and now updated!) understanding, in all these cases I can
never be sure to actually talk to the web site I wanted to?

Unbound has opened my eyes in this project so far. It helps me to use
rolling DNS-servers of choice, it encrypts my queries and shows me what
is going on.
My conclusion so far: DNSSEC remains an illusion. Would that be correct?

Thanks

Jochen

ѽ҉ᶬḳ · October 30, 2018, 2:30pm

Apparently there seems to be a misunderstanding at my end, e. g. where
is the point of validation if the majority of domains are not signed?

The validation happens at the resolver and the result of the validation could be relayed to the client, that if the client is interested to know (poll) the outcome of the validation.
Yet none of the browsers, and probably the majority of other client applications such as mail clients, lack native support of presenting the result of the validation to the user.

In my current (and now updated!) understanding, in all these cases I can
never be sure to actually talk to the web site I wanted to?

True, since DNSSEC validation is not presented by any browser or other client applications. One could always read the log file of the resolver, but that is cumbersome, or code an extension for web browser(s) (or other client applications) since their vendors do not exhibit any interest to implement DNSSEC validation presentation (as of today).

Unbound has opened my eyes in this project so far. It helps me to use
rolling DNS-servers of choice, it encrypts my queries and shows me what
is going on.
My conclusion so far: DNSSEC remains an illusion. Would that be correct?

It is reality, but what is the point of implementing it for a domain, though I have for mine, if the validation results are not presented in a meaningful way to clients?

heidnes · October 30, 2018, 3:23pm

Apparently there seems to be a misunderstanding at my end, e.g. where
is the point of validation if the majority of domains are not signed?

This is more or less the natural way of "incremental deployment"
of a rather complex technology.

One thing is validation, which is relatively easy to deploy, and
by doing so you at least validate those domains which are signed.

Another thing is to configure signing your domains, and if you
are going to do it yourself, it introduces quite a bit of
additional complexity which needs to be mastered, and if you get
"one little detail" wrong the consequences can be fairly serious.

In my current (and now updated!) understanding, in all these cases I can
never be sure to actually talk to the web site I wanted to?

Well, if the domain owner doesn't DNSSEC-sign his domain(s),
attempts at doing validation at your end won't improve matters
*for those domains*.

Of course, deployment is not universal, neither on the signing
nor on the validation end (and will probably never be...).

My conclusion so far: DNSSEC remains an illusion. Would that be correct?

I would disagree, but deployment has not been rapid.
E.g. validation of DNSSEC varies widely by region:

https://stats.labs.apnic.net/dnssec

and from my own backyard, the level of DNSSEC-signed domains for
".no" domains is not all "doom and gloom":

https://www.norid.no/en/statistikk/dnssec/

Regards,

- Håvard