Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DNSSEC using root servers #1249

Open
IT-Dave opened this issue Mar 10, 2025 · 9 comments
Open

DNSSEC using root servers #1249

IT-Dave opened this issue Mar 10, 2025 · 9 comments

Comments

@IT-Dave
Copy link

IT-Dave commented Mar 10, 2025

When using DNSSEC using technitium as a recursive dns server I have noticed the server logs a lot of errors due to RRSIG validation failed causing a lot of servfail responses to appear in stats. I have also noticed when using dig I am not seeing an AD flag when DNSSEC is enabled for a site that supports DNSSEC when using version 13.4.3
@ShreyasZare
Copy link
Member

Thanks for the feedback. Please share some error logs here so that I can understand the issue better. Also, share examples where you do not see AD flag being set.

@IT-Dave
Copy link
Author

IT-Dave commented Mar 10, 2025

; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> whirlpool.net.au
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45234
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;whirlpool.net.au. IN A

;; ANSWER SECTION:
whirlpool.net.au. 300 IN A 104.26.3.30
whirlpool.net.au. 300 IN A 172.67.73.113
whirlpool.net.au. 300 IN A 104.26.2.30

;; Query time: 7 msec
;; SERVER: 192.168.1.53#53(192.168.1.53) (UDP)
;; WHEN: Mon Mar 10 22:19:51 ACDT 2025
;; MSG SIZE rcvd: 93

<<>> DiG 9.18.33-1~deb12u2-Debian <<>> cloudflare.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52022
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;cloudflare.com. IN A

;; ANSWER SECTION:
cloudflare.com. 290 IN A 104.16.133.229
cloudflare.com. 290 IN A 104.16.132.229

;; Query time: 5 msec
;; SERVER: 192.168.1.53#53(192.168.1.53) (UDP)
;; WHEN: Mon Mar 10 22:28:48 ACDT 2025
;; MSG SIZE rcvd: 75

Since tested using;
https://wander.science/projects/dns/dnssec-resolver-test/
http://www.dnssec-or-not.com/

Please see attached screenshots of it sayings DNSSEC is working.. which seems odd as dig is not responding with the AD Flag.
https://ibb.co/DHnHw8LL
https://ibb.co/JW1JM21W

@IT-Dave
Copy link
Author

IT-Dave commented Mar 10, 2025

[2025-03-09 00:02:55 Local] Logging started.
[2025-03-09 00:02:55 Local] DNS Server failed to resolve the request 'f6941d8f39f64134a2b7e8a878aa64ee.bogus.conn.test-ns-signed.internet.nl. HTTPS IN'.
TechnitiumLibrary.Net.Dns.DnsClientResponseDnssecValidationException: Attack detected! DNSSEC validation failed due to missing RRSIG for owner name: f6941d8f39f64134a2b7e8a878aa64ee.bogus.conn.test-ns-signed.internet.nl/A
---> TechnitiumLibrary.Net.Dns.DnsClientResponseDnssecValidationException: Attack detected! DNSSEC validation failed due to missing RRSIG for owner name: f6941d8f39f64134a2b7e8a878aa64ee.bogus.conn.test-ns-signed.internet.nl/A
at TechnitiumLibrary.Net.Dns.DnsClient.DnssecValidateSignatureAsync(DnsDatagram response, IReadOnlyList1 records, IReadOnlyList1 dnsKeyRecords, IReadOnlyList1 unsignedZones, DnssecValidateSignatureParameters parameters, Boolean isAuthoritySection, Boolean isAdditionalSection) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 3191 at TechnitiumLibrary.Net.Dns.DnsClient.DnssecValidateSignatureAsync(DnsDatagram response, IReadOnlyList1 dnsKeyRecords, IReadOnlyList1 unsignedZones) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 2962 at TechnitiumLibrary.Net.Dns.DnsClient.DnssecValidateResponseAsync(DnsDatagram response, IReadOnlyList1 lastDSRecords, DnsClient dnsClient, IDnsCache cache, UInt16 udpPayloadSize, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 2771
at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass47_1.<b__11>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 1147
--- End of inner exception stack trace ---
at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass47_1.<b__11>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 1156
--- End of stack trace from previous location ---
at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass93_0.<g__DoResolveAsync|1>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4708
--- End of stack trace from previous location ---
at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass93_0.<g__DoResolveAsync|1>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4878
--- End of stack trace from previous location ---
at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass93_0.<g__DoResolveAsync|1>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4574
--- End of stack trace from previous location ---
at TechnitiumLibrary.Net.Dns.DnsClient.InternalResolveAsync(DnsDatagram request, Func3 getValidatedResponseAsync, Boolean doNotReorderNameServers, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 5027 at TechnitiumLibrary.Net.Dns.DnsClient.InternalResolveAsync(DnsDatagram request, Func3 getValidatedResponseAsync, Boolean doNotReorderNameServers, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4969
at TechnitiumLibrary.Net.Dns.DnsClient.RecursiveResolveAsync(DnsQuestionRecord question, IDnsCache cache, NetProxy proxy, Boolean preferIPv6, UInt16 udpPayloadSize, Boolean randomizeName, Boolean qnameMinimization, Boolean dnssecValidation, NetworkAddress eDnsClientSubnet, Int32 retries, Int32 timeout, Int32 concurrency, Int32 maxStackCount, Boolean minimalResponse, Boolean asyncNsRevalidation, Boolean asyncNsResolution, List1 rawResponses, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 1130 at TechnitiumLibrary.Net.Dns.DnsClient.RecursiveResolveAsync(DnsQuestionRecord question, IDnsCache cache, NetProxy proxy, Boolean preferIPv6, UInt16 udpPayloadSize, Boolean randomizeName, Boolean qnameMinimization, Boolean dnssecValidation, NetworkAddress eDnsClientSubnet, Int32 retries, Int32 timeout, Int32 concurrency, Int32 maxStackCount, Boolean minimalResponse, Boolean asyncNsRevalidation, Boolean asyncNsResolution, List1 rawResponses, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 1792
at TechnitiumLibrary.TaskExtensions.TimeoutAsync[T](Func2 func, Int32 timeout, CancellationToken cancellationToken) at TechnitiumLibrary.TaskExtensions.TimeoutAsync[T](Func2 func, Int32 timeout, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary\TaskExtensions.cs:line 65
at DnsServerCore.Dns.DnsServer.RecursiveResolverBackgroundTaskAsync(DnsQuestionRecord question, NetworkAddress eDnsClientSubnet, Boolean advancedForwardingClientSubnet, IReadOnlyList1 conditionalForwarders, Boolean dnssecValidation, Boolean cachePrefetchOperation, Boolean cacheRefreshOperation, Boolean skipDnsAppAuthoritativeRequestHandlers, TaskCompletionSource1 taskCompletionSource) in Z:\Technitium\Projects\DnsServer\DnsServerCore\Dns\DnsServer.cs:line 3233
[2025-03-09 00:07:55 Local] DNS Server failed to resolve the request 'f6941d8f39f64134a2b7e8a878aa64ee.bogus.conn.test-ns-signed.internet.nl. HTTPS IN'.
TechnitiumLibrary.Net.Dns.DnsClientResponseDnssecValidationException: Attack detected! DNSSEC validation failed due to missing RRSIG for owner name: f6941d8f39f64134a2b7e8a878aa64ee.bogus.conn.test-ns-signed.internet.nl/A
---> TechnitiumLibrary.Net.Dns.DnsClientResponseDnssecValidationException: Attack detected! DNSSEC validation failed due to missing RRSIG for owner name: f6941d8f39f64134a2b7e8a878aa64ee.bogus.conn.test-ns-signed.internet.nl/A
at TechnitiumLibrary.Net.Dns.DnsClient.DnssecValidateSignatureAsync(DnsDatagram response, IReadOnlyList1 records, IReadOnlyList1 dnsKeyRecords, IReadOnlyList1 unsignedZones, DnssecValidateSignatureParameters parameters, Boolean isAuthoritySection, Boolean isAdditionalSection) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 3191 at TechnitiumLibrary.Net.Dns.DnsClient.DnssecValidateSignatureAsync(DnsDatagram response, IReadOnlyList1 dnsKeyRecords, IReadOnlyList1 unsignedZones) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 2962 at TechnitiumLibrary.Net.Dns.DnsClient.DnssecValidateResponseAsync(DnsDatagram response, IReadOnlyList1 lastDSRecords, DnsClient dnsClient, IDnsCache cache, UInt16 udpPayloadSize, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 2771
at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass47_1.<b__11>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 1147
--- End of inner exception stack trace ---
at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass47_1.<b__11>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 1156
--- End of stack trace from previous location ---
at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass93_0.<g__DoResolveAsync|1>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4708
--- End of stack trace from previous location ---
at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass93_0.<g__DoResolveAsync|1>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4878
--- End of stack trace from previous location ---
at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass93_0.<g__DoResolveAsync|1>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4574
--- End of stack trace from previous location ---
at TechnitiumLibrary.Net.Dns.DnsClient.InternalResolveAsync(DnsDatagram request, Func3 getValidatedResponseAsync, Boolean doNotReorderNameServers, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 5027 at TechnitiumLibrary.Net.Dns.DnsClient.InternalResolveAsync(DnsDatagram request, Func3 getValidatedResponseAsync, Boolean doNotReorderNameServers, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4969
at TechnitiumLibrary.Net.Dns.DnsClient.RecursiveResolveAsync(DnsQuestionRecord question, IDnsCache cache, NetProxy proxy, Boolean preferIPv6, UInt16 udpPayloadSize, Boolean randomizeName, Boolean qnameMinimization, Boolean dnssecValidation, NetworkAddress eDnsClientSubnet, Int32 retries, Int32 timeout, Int32 concurrency, Int32 maxStackCount, Boolean minimalResponse, Boolean asyncNsRevalidation, Boolean asyncNsResolution, List1 rawResponses, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 1130 at TechnitiumLibrary.Net.Dns.DnsClient.RecursiveResolveAsync(DnsQuestionRecord question, IDnsCache cache, NetProxy proxy, Boolean preferIPv6, UInt16 udpPayloadSize, Boolean randomizeName, Boolean qnameMinimization, Boolean dnssecValidation, NetworkAddress eDnsClientSubnet, Int32 retries, Int32 timeout, Int32 concurrency, Int32 maxStackCount, Boolean minimalResponse, Boolean asyncNsRevalidation, Boolean asyncNsResolution, List1 rawResponses, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 1792
at TechnitiumLibrary.TaskExtensions.TimeoutAsync[T](Func2 func, Int32 timeout, CancellationToken cancellationToken) at TechnitiumLibrary.TaskExtensions.TimeoutAsync[T](Func2 func, Int32 timeout, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary\TaskExtensions.cs:line 65
at DnsServerCore.Dns.DnsServer.RecursiveResolverBackgroundTaskAsync(DnsQuestionRecord question, NetworkAddress eDnsClientSubnet, Boolean advancedForwardingClientSubnet, IReadOnlyList1 conditionalForwarders, Boolean dnssecValidation, Boolean cachePrefetchOperation, Boolean cacheRefreshOperation, Boolean skipDnsAppAuthoritativeRequestHandlers, TaskCompletionSource1 taskCompletionSource) in Z:\Technitium\Projects\DnsServer\DnsServerCore\Dns\DnsServer.cs:line 3233
[2025-03-09 00:12:54 Local] DNS Server failed to resolve the request 'f6941d8f39f64134a2b7e8a878aa64ee.bogus.conn.test-ns-signed.internet.nl. HTTPS IN'.
TechnitiumLibrary.Net.Dns.DnsClientResponseDnssecValidationException: Attack detected! DNSSEC validation failed due to missing RRSIG for owner name: f6941d8f39f64134a2b7e8a878aa64ee.bogus.conn.test-ns-signed.internet.nl/A
---> TechnitiumLibrary.Net.Dns.DnsClientResponseDnssecValidationException: Attack detected! DNSSEC validation failed due to missing RRSIG for owner name: f6941d8f39f64134a2b7e8a878aa64ee.bogus.conn.test-ns-signed.internet.nl/A
at TechnitiumLibrary.Net.Dns.DnsClient.DnssecValidateSignatureAsync(DnsDatagram response, IReadOnlyList1 records, IReadOnlyList1 dnsKeyRecords, IReadOnlyList1 unsignedZones, DnssecValidateSignatureParameters parameters, Boolean isAuthoritySection, Boolean isAdditionalSection) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 3191 at TechnitiumLibrary.Net.Dns.DnsClient.DnssecValidateSignatureAsync(DnsDatagram response, IReadOnlyList1 dnsKeyRecords, IReadOnlyList1 unsignedZones) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 2962 at TechnitiumLibrary.Net.Dns.DnsClient.DnssecValidateResponseAsync(DnsDatagram response, IReadOnlyList1 lastDSRecords, DnsClient dnsClient, IDnsCache cache, UInt16 udpPayloadSize, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 2771
at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass47_1.<b__11>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 1147
--- End of inner exception stack trace ---
at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass47_1.<b__11>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 1156
--- End of stack trace from previous location ---
at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass93_0.<g__DoResolveAsync|1>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4708
--- End of stack trace from previous location ---
at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass93_0.<g__DoResolveAsync|1>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4878
--- End of stack trace from previous location ---
at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass93_0.<g__DoResolveAsync|1>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4574
--- End of stack trace from previous location ---
at TechnitiumLibrary.Net.Dns.DnsClient.InternalResolveAsync(DnsDatagram request, Func3 getValidatedResponseAsync, Boolean doNotReorderNameServers, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 5027 at TechnitiumLibrary.Net.Dns.DnsClient.InternalResolveAsync(DnsDatagram request, Func3 getValidatedResponseAsync, Boolean doNotReorderNameServers, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4969

@IT-Dave
Copy link
Author

IT-Dave commented Mar 10, 2025

[2025-03-10 12:40:17 UTC] DNS Server failed to resolve the request 'bogus.d2a13n3.rootcanary.net. AAAA IN'.
TechnitiumLibrary.Net.Dns.DnsClientResponseDnssecValidationException: Attack detected! DNSSEC validation failed due to invalid signature [DnssecBogus] for owner name: bogus.d2a13n3.rootcanary.net/AAAA
at TechnitiumLibrary.Net.Dns.DnsClient.DnssecValidateSignatureAsync(DnsDatagram response, IReadOnlyList1 records, IReadOnlyList1 dnsKeyRecords, IReadOnlyList1 unsignedZones, DnssecValidateSignatureParameters parameters, Boolean isAuthoritySection, Boolean isAdditionalSection) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 3129 at TechnitiumLibrary.Net.Dns.DnsClient.DnssecValidateSignatureAsync(DnsDatagram response, IReadOnlyList1 dnsKeyRecords, IReadOnlyList1 unsignedZones) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 2962 at TechnitiumLibrary.Net.Dns.DnsClient.DnssecValidateResponseAsync(DnsDatagram response, IReadOnlyList1 lastDSRecords, DnsClient dnsClient, IDnsCache cache, UInt16 udpPayloadSize, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 2771
at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass47_1.<b__11>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 1147
--- End of stack trace from previous location ---
at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass93_0.<g__DoResolveAsync|1>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4708
--- End of stack trace from previous location ---
at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass93_0.<g__DoResolveAsync|1>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4878
--- End of stack trace from previous location ---
at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass93_0.<g__DoResolveAsync|1>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4574
--- End of stack trace from previous location ---
at TechnitiumLibrary.Net.Dns.DnsClient.InternalResolveAsync(DnsDatagram request, Func3 getValidatedResponseAsync, Boolean doNotReorderNameServers, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 5040 at TechnitiumLibrary.Net.Dns.DnsClient.RecursiveResolveAsync(DnsQuestionRecord question, IDnsCache cache, NetProxy proxy, Boolean preferIPv6, UInt16 udpPayloadSize, Boolean randomizeName, Boolean qnameMinimization, Boolean dnssecValidation, NetworkAddress eDnsClientSubnet, Int32 retries, Int32 timeout, Int32 concurrency, Int32 maxStackCount, Boolean minimalResponse, Boolean asyncNsRevalidation, Boolean asyncNsResolution, List1 rawResponses, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 1130
at TechnitiumLibrary.Net.Dns.DnsClient.RecursiveResolveAsync(DnsQuestionRecord question, IDnsCache cache, NetProxy proxy, Boolean preferIPv6, UInt16 udpPayloadSize, Boolean randomizeName, Boolean qnameMinimization, Boolean dnssecValidation, NetworkAddress eDnsClientSubnet, Int32 retries, Int32 timeout, Int32 concurrency, Int32 maxStackCount, Boolean minimalResponse, Boolean asyncNsRevalidation, Boolean asyncNsResolution, List1 rawResponses, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 1792 at TechnitiumLibrary.TaskExtensions.TimeoutAsync[T](Func2 func, Int32 timeout, CancellationToken cancellationToken)
at TechnitiumLibrary.TaskExtensions.TimeoutAsync[T](Func2 func, Int32 timeout, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary\TaskExtensions.cs:line 65 at DnsServerCore.Dns.DnsServer.RecursiveResolverBackgroundTaskAsync(DnsQuestionRecord question, NetworkAddress eDnsClientSubnet, Boolean advancedForwardingClientSubnet, IReadOnlyList1 conditionalForwarders, Boolean dnssecValidation, Boolean cachePrefetchOperation, Boolean cacheRefreshOperation, Boolean skipDnsAppAuthoritativeRequestHandlers, TaskCompletionSource1 taskCompletionSource) in Z:\Technitium\Projects\DnsServer\DnsServerCore\Dns\DnsServer.cs:line 3228 [2025-03-10 12:40:17 UTC] DNS Server failed to resolve the request 'bogus.d4a14n3.rootcanary.net. HTTPS IN'. TechnitiumLibrary.Net.Dns.DnsClientResponseDnssecValidationException: Attack detected! DNSSEC validation failed due to invalid signature [DnssecBogus] for owner name: bogus.d4a14n3.rootcanary.net/A ---> TechnitiumLibrary.Net.Dns.DnsClientResponseDnssecValidationException: Attack detected! DNSSEC validation failed due to invalid signature [DnssecBogus] for owner name: bogus.d4a14n3.rootcanary.net/A at TechnitiumLibrary.Net.Dns.DnsClient.DnssecValidateSignatureAsync(DnsDatagram response, IReadOnlyList1 records, IReadOnlyList1 dnsKeyRecords, IReadOnlyList1 unsignedZones, DnssecValidateSignatureParameters parameters, Boolean isAuthoritySection, Boolean isAdditionalSection) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 3129
at TechnitiumLibrary.Net.Dns.DnsClient.DnssecValidateSignatureAsync(DnsDatagram response, IReadOnlyList1 dnsKeyRecords, IReadOnlyList1 unsignedZones) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 2962
at TechnitiumLibrary.Net.Dns.DnsClient.DnssecValidateResponseAsync(DnsDatagram response, IReadOnlyList1 lastDSRecords, DnsClient dnsClient, IDnsCache cache, UInt16 udpPayloadSize, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 2771 at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass47_1.<<RecursiveResolveAsync>b__11>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 1147 --- End of inner exception stack trace --- at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass47_1.<<RecursiveResolveAsync>b__11>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 1156 --- End of stack trace from previous location --- at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass93_0.<<InternalResolveAsync>g__DoResolveAsync|1>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4708 --- End of stack trace from previous location --- at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass93_0.<<InternalResolveAsync>g__DoResolveAsync|1>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4878 --- End of stack trace from previous location --- at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass93_0.<<InternalResolveAsync>g__DoResolveAsync|1>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4574 --- End of stack trace from previous location --- at TechnitiumLibrary.Net.Dns.DnsClient.InternalResolveAsync(DnsDatagram request, Func3 getValidatedResponseAsync, Boolean doNotReorderNameServers, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 5040
at TechnitiumLibrary.Net.Dns.DnsClient.RecursiveResolveAsync(DnsQuestionRecord question, IDnsCache cache, NetProxy proxy, Boolean preferIPv6, UInt16 udpPayloadSize, Boolean randomizeName, Boolean qnameMinimization, Boolean dnssecValidation, NetworkAddress eDnsClientSubnet, Int32 retries, Int32 timeout, Int32 concurrency, Int32 maxStackCount, Boolean minimalResponse, Boolean asyncNsRevalidation, Boolean asyncNsResolution, List1 rawResponses, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 1130 at TechnitiumLibrary.Net.Dns.DnsClient.RecursiveResolveAsync(DnsQuestionRecord question, IDnsCache cache, NetProxy proxy, Boolean preferIPv6, UInt16 udpPayloadSize, Boolean randomizeName, Boolean qnameMinimization, Boolean dnssecValidation, NetworkAddress eDnsClientSubnet, Int32 retries, Int32 timeout, Int32 concurrency, Int32 maxStackCount, Boolean minimalResponse, Boolean asyncNsRevalidation, Boolean asyncNsResolution, List1 rawResponses, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 1792
at TechnitiumLibrary.TaskExtensions.TimeoutAsync[T](Func2 func, Int32 timeout, CancellationToken cancellationToken) at TechnitiumLibrary.TaskExtensions.TimeoutAsync[T](Func2 func, Int32 timeout, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary\TaskExtensions.cs:line 65
at DnsServerCore.Dns.DnsServer.RecursiveResolverBackgroundTaskAsync(DnsQuestionRecord question, NetworkAddress eDnsClientSubnet, Boolean advancedForwardingClientSubnet, IReadOnlyList1 conditionalForwarders, Boolean dnssecValidation, Boolean cachePrefetchOperation, Boolean cacheRefreshOperation, Boolean skipDnsAppAuthoritativeRequestHandlers, TaskCompletionSource1 taskCompletionSource) in Z:\Technitium\Projects\DnsServer\DnsServerCore\Dns\DnsServer.cs:line 3228
[2025-03-10 12:40:17 UTC] DNS Server failed to resolve the request 'bogus.d2a14n3.rootcanary.net. AAAA IN'.
TechnitiumLibrary.Net.Dns.DnsClientResponseDnssecValidationException: Attack detected! DNSSEC validation failed due to invalid signature [DnssecBogus] for owner name: bogus.d2a14n3.rootcanary.net/AAAA
at TechnitiumLibrary.Net.Dns.DnsClient.DnssecValidateSignatureAsync(DnsDatagram response, IReadOnlyList1 records, IReadOnlyList1 dnsKeyRecords, IReadOnlyList1 unsignedZones, DnssecValidateSignatureParameters parameters, Boolean isAuthoritySection, Boolean isAdditionalSection) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 3129 at TechnitiumLibrary.Net.Dns.DnsClient.DnssecValidateSignatureAsync(DnsDatagram response, IReadOnlyList1 dnsKeyRecords, IReadOnlyList1 unsignedZones) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 2962 at TechnitiumLibrary.Net.Dns.DnsClient.DnssecValidateResponseAsync(DnsDatagram response, IReadOnlyList1 lastDSRecords, DnsClient dnsClient, IDnsCache cache, UInt16 udpPayloadSize, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 2771
at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass47_1.<b__11>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 1147
--- End of stack trace from previous location ---
at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass93_0.<g__DoResolveAsync|1>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4708
--- End of stack trace from previous location ---
at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass93_0.<g__DoResolveAsync|1>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4878
--- End of stack trace from previous location ---
at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass93_0.<g__DoResolveAsync|1>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4574
--- End of stack trace from previous location ---
at TechnitiumLibrary.Net.Dns.DnsClient.InternalResolveAsync(DnsDatagram request, Func3 getValidatedResponseAsync, Boolean doNotReorderNameServers, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 5040 at TechnitiumLibrary.Net.Dns.DnsClient.RecursiveResolveAsync(DnsQuestionRecord question, IDnsCache cache, NetProxy proxy, Boolean preferIPv6, UInt16 udpPayloadSize, Boolean randomizeName, Boolean qnameMinimization, Boolean dnssecValidation, NetworkAddress eDnsClientSubnet, Int32 retries, Int32 timeout, Int32 concurrency, Int32 maxStackCount, Boolean minimalResponse, Boolean asyncNsRevalidation, Boolean asyncNsResolution, List1 rawResponses, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 1130
at TechnitiumLibrary.Net.Dns.DnsClient.RecursiveResolveAsync(DnsQuestionRecord question, IDnsCache cache, NetProxy proxy, Boolean preferIPv6, UInt16 udpPayloadSize, Boolean randomizeName, Boolean qnameMinimization, Boolean dnssecValidation, NetworkAddress eDnsClientSubnet, Int32 retries, Int32 timeout, Int32 concurrency, Int32 maxStackCount, Boolean minimalResponse, Boolean asyncNsRevalidation, Boolean asyncNsResolution, List1 rawResponses, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 1792 at TechnitiumLibrary.TaskExtensions.TimeoutAsync[T](Func2 func, Int32 timeout, CancellationToken cancellationToken)
at TechnitiumLibrary.TaskExtensions.TimeoutAsync[T](Func2 func, Int32 timeout, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary\TaskExtensions.cs:line 65 at DnsServerCore.Dns.DnsServer.RecursiveResolverBackgroundTaskAsync(DnsQuestionRecord question, NetworkAddress eDnsClientSubnet, Boolean advancedForwardingClientSubnet, IReadOnlyList1 conditionalForwarders, Boolean dnssecValidation, Boolean cachePrefetchOperation, Boolean cacheRefreshOperation, Boolean skipDnsAppAuthoritativeRequestHandlers, TaskCompletionSource1 taskCompletionSource) in Z:\Technitium\Projects\DnsServer\DnsServerCore\Dns\DnsServer.cs:line 3228 [2025-03-10 12:40:17 UTC] DNS Server failed to resolve the request 'bogus.d2a14n3.rootcanary.net. HTTPS IN'. TechnitiumLibrary.Net.Dns.DnsClientResponseDnssecValidationException: Attack detected! DNSSEC validation failed due to invalid signature [DnssecBogus] for owner name: bogus.d2a14n3.rootcanary.net/A ---> TechnitiumLibrary.Net.Dns.DnsClientResponseDnssecValidationException: Attack detected! DNSSEC validation failed due to invalid signature [DnssecBogus] for owner name: bogus.d2a14n3.rootcanary.net/A at TechnitiumLibrary.Net.Dns.DnsClient.DnssecValidateSignatureAsync(DnsDatagram response, IReadOnlyList1 records, IReadOnlyList1 dnsKeyRecords, IReadOnlyList1 unsignedZones, DnssecValidateSignatureParameters parameters, Boolean isAuthoritySection, Boolean isAdditionalSection) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 3129
at TechnitiumLibrary.Net.Dns.DnsClient.DnssecValidateSignatureAsync(DnsDatagram response, IReadOnlyList1 dnsKeyRecords, IReadOnlyList1 unsignedZones) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 2962
at TechnitiumLibrary.Net.Dns.DnsClient.DnssecValidateResponseAsync(DnsDatagram response, IReadOnlyList1 lastDSRecords, DnsClient dnsClient, IDnsCache cache, UInt16 udpPayloadSize, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 2771 at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass47_1.<<RecursiveResolveAsync>b__11>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 1147 --- End of inner exception stack trace --- at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass47_1.<<RecursiveResolveAsync>b__11>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 1156 --- End of stack trace from previous location --- at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass93_0.<<InternalResolveAsync>g__DoResolveAsync|1>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4708 --- End of stack trace from previous location --- at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass93_0.<<InternalResolveAsync>g__DoResolveAsync|1>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4878 --- End of stack trace from previous location --- at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass93_0.<<InternalResolveAsync>g__DoResolveAsync|1>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4574 --- End of stack trace from previous location --- at TechnitiumLibrary.Net.Dns.DnsClient.InternalResolveAsync(DnsDatagram request, Func3 getValidatedResponseAsync, Boolean doNotReorderNameServers, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 5040
at TechnitiumLibrary.Net.Dns.DnsClient.RecursiveResolveAsync(DnsQuestionRecord question, IDnsCache cache, NetProxy proxy, Boolean preferIPv6, UInt16 udpPayloadSize, Boolean randomizeName, Boolean qnameMinimization, Boolean dnssecValidation, NetworkAddress eDnsClientSubnet, Int32 retries, Int32 timeout, Int32 concurrency, Int32 maxStackCount, Boolean minimalResponse, Boolean asyncNsRevalidation, Boolean asyncNsResolution, List1 rawResponses, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 1130 at TechnitiumLibrary.Net.Dns.DnsClient.RecursiveResolveAsync(DnsQuestionRecord question, IDnsCache cache, NetProxy proxy, Boolean preferIPv6, UInt16 udpPayloadSize, Boolean randomizeName, Boolean qnameMinimization, Boolean dnssecValidation, NetworkAddress eDnsClientSubnet, Int32 retries, Int32 timeout, Int32 concurrency, Int32 maxStackCount, Boolean minimalResponse, Boolean asyncNsRevalidation, Boolean asyncNsResolution, List1 rawResponses, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 1792
at TechnitiumLibrary.TaskExtensions.TimeoutAsync[T](Func2 func, Int32 timeout, CancellationToken cancellationToken) at TechnitiumLibrary.TaskExtensions.TimeoutAsync[T](Func2 func, Int32 timeout, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary\TaskExtensions.cs:line 65
at DnsServerCore.Dns.DnsServer.RecursiveResolverBackgroundTaskAsync(DnsQuestionRecord question, NetworkAddress eDnsClientSubnet, Boolean advancedForwardingClientSubnet, IReadOnlyList1 conditionalForwarders, Boolean dnssecValidation, Boolean cachePrefetchOperation, Boolean cacheRefreshOperation, Boolean skipDnsAppAuthoritativeRequestHandlers, TaskCompletionSource1 taskCompletionSource) in Z:\Technitium\Projects\DnsServer\DnsServerCore\Dns\DnsServer.cs:line 3228
[2025-03-10 12:40:34 UTC] [192.168.1.64:49579] Check for update was done {updateAvailable: False; updateVersion: 13.4.3; updateTitle: New Update (v13.4.3) Available!; updateMessage: Follow the instructions from the link below to update the DNS server to the latest version. Read the change logs before installing this update to know if there are any breaking changes.; instructionsLink: https://blog.technitium.com/2017/11/running-dns-server-on-ubuntu-linux.html; changeLogLink: https://github.com/TechnitiumSoftware/DnsServer/blob/master/CHANGELOG.md;}
[2025-03-10 12:41:10 UTC] [192.168.1.64:49583] Check for update was done {updateAvailable: False; updateVersion: 13.4.3; updateTitle: New Update (v13.4.3) Available!; updateMessage: Follow the instructions from the link below to update the DNS server to the latest version. Read the change logs before installing this update to know if there are any breaking changes.; instructionsLink: https://blog.technitium.com/2017/11/running-dns-server-on-ubuntu-linux.html; changeLogLink: https://github.com/TechnitiumSoftware/DnsServer/blob/master/CHANGELOG.md;}

@ShreyasZare
Copy link
Member

Thanks for the details. The AD flag is only set if the request has DO flag set. DO flag in request indicates that the client understands AD flag and only then its set.

Attack detected! DNSSEC validation failed due to missing RRSIG for owner name: f6941d8f39f64134a2b7e8a878aa64ee.bogus.conn.test-ns-signed.internet.nl/A

The error logs are normal since you did DNSSEC tests on various websites. The domain names used in these tests will have validation errors deliberately to test if your DNS server is able to detect it. The DNS server will detect these validation errors and log them. Since these requests fail, the DNS server will respond with ServerFailure and it will show up on the dashboard stats as well.

@IT-Dave
Copy link
Author

IT-Dave commented Mar 10, 2025

That explains it then.. technitium isn’t sending the DO flag which is why I am finding DNSSEC to be hit and miss..

@ShreyasZare
Copy link
Member

That explains it then.. technitium isn’t sending the DO flag which is why I am finding DNSSEC to be hit and miss..

Its the client that has to set DO flag, not the server. Technitium DNS Server sets DO flag for outbound requests when DNSSEC Validation is enabled.

DNSSEC is working as expected. What you are observing is normal and expected.

@IT-Dave
Copy link
Author

IT-Dave commented Mar 10, 2025

I have since carried out a packet inspection of traffic via Wireshark and can see that it’s your dns server that not marking the outgoing requests with the DO flag correctly which is why I am seeing the issue. I have since had a look at some of the backend code and found a mile of issues you might want to go and find and fix. I personally wouldn’t be wasting yours and my time if there was not an issue..

@ShreyasZare
Copy link
Member

I have since carried out a packet inspection of traffic via Wireshark and can see that it’s your dns server that not marking the outgoing requests with the DO flag correctly which is why I am seeing the issue. I have since had a look at some of the backend code and found a mile of issues you might want to go and find and fix. I personally wouldn’t be wasting yours and my time if there was not an issue..

DNSSEC validation will not work without setting DO flag. If you see DO flag not being set then you may have disabled DNSSEC validation in Settings. You have yourself tested with couple of websites that say DNSSEC is working which means DO flag is set.

Please share data instead of claims. If there are bugs then they will be acknowledged and fixed. Any bug you can report will be appreciated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ShreyasZare @IT-Dave