website icon indicating copy to clipboard operation
website copied to clipboard
verified publisher icon TeamNewPipe

Bogus DNSSEC

Open szmarczak opened this issue 10 months ago • 3 comments

Checklist

  • [x] I am able to reproduce the bug with the latest version given here: CLICK THIS LINK.
  • [x] I made sure that there are no existing issues - open or closed - which I could contribute my information to.
  • [x] I have read the FAQ and my problem isn't listed.
  • [x] I have taken the time to fill in all the required details. I understand that the bug report will be dismissed otherwise.
  • [x] This issue contains only one bug.
  • [x] I have read and understood the contribution guidelines.

Affected version

not needed

Steps to reproduce the bug

# dig @8.8.8.8 newpipe.net +dnssec

; <<>> DiG 9.18.31 <<>> @8.8.8.8 newpipe.net +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29308
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
; EDE: 6 (DNSSEC Bogus): (RRSIG with malformed signature found for newpipe.net/dnskey (keytag=35320))
;; QUESTION SECTION:
;newpipe.net.                   IN      A

;; ANSWER SECTION:
newpipe.net.            114     IN      A       159.69.138.33
newpipe.net.            114     IN      RRSIG   A 8 2 120 20250226212500 20250126212500 1776 newpipe.net. DrRgwC3F1mIhqWbh9Y4axqPIAmxd/0QsuN7ja2NPCmR17fnbLCgWegDF KG+7sDLCIWM8r/jhBctgjXpTBjmpZ3h3F1OGZxo3sT77SC4sMdpv7YiU HQprGP7Is/YulKMmq+Twp1PZrBWGYJAIKXp16ZR4CTNl7eFx9LuUu3xf doc=
newpipe.net.            114     IN      RRSIG   A 8 2 120 20250302195000 20250130195000 63741 newpipe.net. SuOORTzyGTyUPMRBjGEusNLZF65JEI8ijV4OZeAZQ/HW/luX/o49wkvo WFcpV715bxu7EMwvdsRqQxkLYFY2uIXe9tXQmtqcvdYLEf+X1+DljkX/ wmr0e1URiOwGmGcDZF/Z7ur6G00uLV19pNATk6bjLW9N2a6PknSkBSpn htk=

;; Query time: 19 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Sat Feb 01 14:07:24 UTC 2025
;; MSG SIZE  rcvd: 478

1.1.1.1 does not send A at all.

Expected behavior

No response

Actual behavior

No response

Screenshots/Screen recordings

No response

Logs

No response

Affected Android/Custom ROM version

No response

Affected device model

No response

Additional information

No response

szmarczak avatar Feb 01 '25 14:02 szmarczak

@TheAssassin Can this be closed?

TobiGr avatar Feb 03 '25 17:02 TobiGr

https://github.com/TeamNewPipe/website/issues/379

EDIT: working fine now.

tzagim avatar Apr 28 '25 04:04 tzagim

@TobiGr I think we need a more permanent solution at some point because it just broke again (and was fixed automatically, apparently). We use the automated DNSSEC feature of our provider. We should probably escalate it there. Also, monitoring would be good to have, albeit we still need some more infrastructure for that.

TheAssassin avatar May 01 '25 01:05 TheAssassin