DnsServer
DnsServer copied to clipboard
TechnitiumSoftware
Random DNSSEC errors after 12.1 update
After upgrading my server to version 12.1 using the Docker image, I've observed that the resolution of certain domains occasionally fails at random. When this issue arises, attempts to resolve the domain continue to fail for a period, and then, after about a minute, the issue resolves itself without any manual intervention. It's important to note that this only occurs with certain domains, and while I have not observed it affecting two different domains simultaneously, I cannot rule out the possibility. Meanwhile, the resolver functions perfectly for other domains, even when the affected ones are failing.
I checked the logs and when this issue occurs, this exception gets printed in the log:
[2024-03-24 13:19:21 UTC] DNS Server failed to resolve the request 'mt-proxy.cl4.es. A IN' using forwarders: cloudflare-dns.com:853 (1.1.1.1), cloudflare-dns.com:853 (1.0.0.1), dns.quad9.net:853 (9.9.9.9), dns.quad9.net:853 (149.112.112.112).
TechnitiumLibrary.Net.Dns.DnsClientResponseDnssecValidationException: DNSSEC validation failed due to missing RRSIG for owner name: mt-proxy.cl4.es/CNAME
at TechnitiumLibrary.Net.Dns.DnsClient.DnssecValidateSignatureAsync(DnsDatagram response, IReadOnlyList`1 records, IReadOnlyList`1 dnsKeyRecords, IReadOnlyList`1 unsignedZones, DnssecValidateSignatureParameters parameters, Boolean isAuthoritySection, Boolean isAdditionalSection) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 2959
at TechnitiumLibrary.Net.Dns.DnsClient.DnssecValidateSignatureAsync(DnsDatagram response, IReadOnlyList`1 dnsKeyRecords, IReadOnlyList`1 unsignedZones) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 2730
at TechnitiumLibrary.Net.Dns.DnsClient.DnssecValidateResponseAsync(DnsDatagram response, IReadOnlyList`1 lastDSRecords, DnsClient dnsClient, IDnsCache cache, UInt16 udpPayloadSize, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 2566
at TechnitiumLibrary.Net.Dns.DnsClient.InternalDnssecResolveAsync(DnsQuestionRecord question, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4692
at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass91_0.<<InternalCachedResolveQueryAsync>b__0>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4754
--- End of stack trace from previous location ---
at TechnitiumLibrary.Net.Dns.DnsClient.ResolveQueryAsync(DnsQuestionRecord question, Func`2 resolveAsync) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4103
at TechnitiumLibrary.Net.Dns.DnsClient.InternalCachedResolveQueryAsync(DnsQuestionRecord question, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4736
at DnsServerCore.Dns.DnsServer.RecursiveResolveAsync(DnsQuestionRecord question, NetworkAddress eDnsClientSubnet, Boolean advancedForwardingClientSubnet, IReadOnlyList`1 conditionalForwarders, Boolean dnssecValidation, Boolean cachePrefetchOperation, Boolean cacheRefreshOperation, Boolean skipDnsAppAuthoritativeRequestHandlers, TaskCompletionSource`1 taskCompletionSource) in Z:\Technitium\Projects\DnsServer\DnsServerCore\Dns\DnsServer.cs:line 3193
[2024-03-24 13:38:57 UTC] DNS Server failed to resolve the request 'ocsp.pki.goog. A IN' using forwarders: cloudflare-dns.com:853 (1.1.1.1), cloudflare-dns.com:853 (1.0.0.1), dns.quad9.net:853 (9.9.9.9), dns.quad9.net:853 (149.112.112.112).
TechnitiumLibrary.Net.Dns.DnsClientResponseDnssecValidationException: DNSSEC validation failed due to missing RRSIG for owner name: ocsp.pki.goog/CNAME
at TechnitiumLibrary.Net.Dns.DnsClient.DnssecValidateSignatureAsync(DnsDatagram response, IReadOnlyList`1 records, IReadOnlyList`1 dnsKeyRecords, IReadOnlyList`1 unsignedZones, DnssecValidateSignatureParameters parameters, Boolean isAuthoritySection, Boolean isAdditionalSection) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 2959
at TechnitiumLibrary.Net.Dns.DnsClient.DnssecValidateSignatureAsync(DnsDatagram response, IReadOnlyList`1 dnsKeyRecords, IReadOnlyList`1 unsignedZones) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 2730
at TechnitiumLibrary.Net.Dns.DnsClient.DnssecValidateResponseAsync(DnsDatagram response, IReadOnlyList`1 lastDSRecords, DnsClient dnsClient, IDnsCache cache, UInt16 udpPayloadSize, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 2566
at TechnitiumLibrary.Net.Dns.DnsClient.InternalDnssecResolveAsync(DnsQuestionRecord question, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4692
at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass91_0.<<InternalCachedResolveQueryAsync>b__0>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4754
--- End of stack trace from previous location ---
at TechnitiumLibrary.Net.Dns.DnsClient.ResolveQueryAsync(DnsQuestionRecord question, Func`2 resolveAsync) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4103
at TechnitiumLibrary.Net.Dns.DnsClient.InternalCachedResolveQueryAsync(DnsQuestionRecord question, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4736
at DnsServerCore.Dns.DnsServer.RecursiveResolveAsync(DnsQuestionRecord question, NetworkAddress eDnsClientSubnet, Boolean advancedForwardingClientSubnet, IReadOnlyList`1 conditionalForwarders, Boolean dnssecValidation, Boolean cachePrefetchOperation, Boolean cacheRefreshOperation, Boolean skipDnsAppAuthoritativeRequestHandlers, TaskCompletionSource`1 taskCompletionSource) in Z:\Technitium\Projects\DnsServer\DnsServerCore\Dns\DnsServer.cs:line 3193
If I use the DNS Client built-in in the webUI with the server set to "This Server" and with "Enable DNSSEC Validation" and the issue arises, I get this response:
{
"Metadata": {
"NameServer": "technitium.sb.cl4.es (10.69.0.20)",
"Protocol": "Udp",
"DatagramSize": "291 bytes",
"RoundTripTime": "154.04 ms"
},
"EDNS": {
"UdpPayloadSize": 1232,
"ExtendedRCODE": "NoError",
"Version": 0,
"Flags": "DNSSEC_OK",
"Options": [
{
"Code": "EXTENDED_DNS_ERROR",
"Length": "2 bytes",
"Data": {
"InfoCode": "StaleAnswer",
"ExtraText": null
}
}
]
},
"DnsClientExtendedErrors": [
{
"InfoCode": "SignatureExpired",
"ExtraText": "mt-proxy.cl4.es CNAME IN"
}
],
"Identifier": 0,
"IsResponse": true,
"OPCODE": "StandardQuery",
"AuthoritativeAnswer": false,
"Truncation": false,
"RecursionDesired": true,
"RecursionAvailable": true,
"Z": 0,
"AuthenticData": true,
"CheckingDisabled": true,
"RCODE": "NoError",
"QDCOUNT": 1,
"ANCOUNT": 4,
"NSCOUNT": 0,
"ARCOUNT": 1,
"Question": [
{
"Name": "mt-proxy.cl4.es",
"Type": "A",
"Class": "IN"
}
],
"Answer": [
{
"Name": "mt-proxy.cl4.es",
"Type": "CNAME",
"Class": "IN",
"TTL": "30 (30 sec)",
"RDLENGTH": "9 bytes",
"RDATA": {
"Domain": "oc0.oc.cl4.es"
},
"DnssecStatus": "Bogus"
},
{
"Name": "mt-proxy.cl4.es",
"Type": "RRSIG",
"Class": "IN",
"TTL": "30 (30 sec)",
"RDLENGTH": "90 bytes",
"RDATA": {
"TypeCovered": "CNAME",
"Algorithm": "ECDSAP256SHA256",
"Labels": 3,
"OriginalTtl": 300,
"SignatureExpiration": "2024-03-25T16:11:19Z",
"SignatureInception": "2024-03-23T14:11:19Z",
"KeyTag": 34505,
"SignersName": "cl4.es",
"Signature": "oQKTKsBK3c7w4noNDHHBS2TcBK3N3Kv+4COaBnRknvPgpjdZOAcVRC2dJgeIk0tU0/BLe10bNEaia8w0oI5Mng=="
},
"DnssecStatus": "Bogus"
},
{
"Name": "oc0.oc.cl4.es",
"Type": "A",
"Class": "IN",
"TTL": "30 (30 sec)",
"RDLENGTH": "4 bytes",
"RDATA": {
"IPAddress": "129.151.70.133"
},
"DnssecStatus": "Unknown"
},
{
"Name": "oc0.oc.cl4.es",
"Type": "RRSIG",
"Class": "IN",
"TTL": "30 (30 sec)",
"RDLENGTH": "90 bytes",
"RDATA": {
"TypeCovered": "A",
"Algorithm": "ECDSAP256SHA256",
"Labels": 4,
"OriginalTtl": 300,
"SignatureExpiration": "2024-03-25T17:00:50Z",
"SignatureInception": "2024-03-23T15:00:50Z",
"KeyTag": 34505,
"SignersName": "cl4.es",
"Signature": "qHSQzK9VoPk2+deLZ30+6v90P1Y+tj9jKxK6tHZuydoOXrwo1Xfydh1mEZqBkPooy/dlGvZqU94xdm+7jQS6ig=="
},
"DnssecStatus": "Unknown"
}
],
"Authority": [],
"Additional": [
{
"Name": "",
"Type": "OPT",
"Class": "1232",
"TTL": "32768 (9 hours 6 mins 8 sec)",
"RDLENGTH": "6 bytes",
"RDATA": {
"Options": [
{
"Code": "EXTENDED_DNS_ERROR",
"Length": "2 bytes",
"Data": {
"InfoCode": "StaleAnswer",
"ExtraText": null
}
}
]
},
"DnssecStatus": "Unknown"
}
]
}
But just waiting a bit a pressing the resolve button again gets me this successful response:
{
"Metadata": {
"NameServer": "technitium.sb.cl4.es (10.69.0.20)",
"Protocol": "Udp",
"DatagramSize": "593 bytes",
"RoundTripTime": "74.77 ms"
},
"EDNS": {
"UdpPayloadSize": 1232,
"ExtendedRCODE": "NoError",
"Version": 0,
"Flags": "DNSSEC_OK",
"Options": [
{
"Code": "PADDING",
"Length": "304 bytes",
"Data": {
"Data": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=="
}
}
]
},
"Identifier": 0,
"IsResponse": true,
"OPCODE": "StandardQuery",
"AuthoritativeAnswer": false,
"Truncation": false,
"RecursionDesired": true,
"RecursionAvailable": true,
"Z": 0,
"AuthenticData": false,
"CheckingDisabled": true,
"RCODE": "NoError",
"QDCOUNT": 1,
"ANCOUNT": 4,
"NSCOUNT": 0,
"ARCOUNT": 1,
"Question": [
{
"Name": "mt-proxy.cl4.es",
"Type": "A",
"Class": "IN"
}
],
"Answer": [
{
"Name": "mt-proxy.cl4.es",
"Type": "CNAME",
"Class": "IN",
"TTL": "300 (5 mins)",
"RDLENGTH": "9 bytes",
"RDATA": {
"Domain": "oc0.oc.cl4.es"
},
"DnssecStatus": "Secure"
},
{
"Name": "mt-proxy.cl4.es",
"Type": "RRSIG",
"Class": "IN",
"TTL": "300 (5 mins)",
"RDLENGTH": "90 bytes",
"RDATA": {
"TypeCovered": "CNAME",
"Algorithm": "ECDSAP256SHA256",
"Labels": 3,
"OriginalTtl": 300,
"SignatureExpiration": "2024-03-26T21:48:00Z",
"SignatureInception": "2024-03-24T19:48:00Z",
"KeyTag": 34505,
"SignersName": "cl4.es",
"Signature": "Y6axjJXemx3FcJdjlgUvg6J47q784+cSnxRU3J11JLivdUZxa4r49pFi19B7xud2SaqCF+xGCxhl57Cv++sbKQ=="
},
"DnssecStatus": "Secure"
},
{
"Name": "oc0.oc.cl4.es",
"Type": "A",
"Class": "IN",
"TTL": "300 (5 mins)",
"RDLENGTH": "4 bytes",
"RDATA": {
"IPAddress": "129.151.70.133"
},
"DnssecStatus": "Secure"
},
{
"Name": "oc0.oc.cl4.es",
"Type": "RRSIG",
"Class": "IN",
"TTL": "300 (5 mins)",
"RDLENGTH": "90 bytes",
"RDATA": {
"TypeCovered": "A",
"Algorithm": "ECDSAP256SHA256",
"Labels": 4,
"OriginalTtl": 300,
"SignatureExpiration": "2024-03-26T21:48:00Z",
"SignatureInception": "2024-03-24T19:48:00Z",
"KeyTag": 34505,
"SignersName": "cl4.es",
"Signature": "vqd1lWuXQtKBE+orqZxSy2QtaWpttFsizEUAdjlbyc/MYqmGYjujnDmCUtV61bHPLie/J2ebPdhiKE2oeJDeew=="
},
"DnssecStatus": "Secure"
}
],
"Authority": [],
"Additional": [
{
"Name": "",
"Type": "OPT",
"Class": "1232",
"TTL": "32768 (9 hours 6 mins 8 sec)",
"RDLENGTH": "308 bytes",
"RDATA": {
"Options": [
{
"Code": "PADDING",
"Length": "304 bytes",
"Data": {
"Data": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=="
}
}
]
},
"DnssecStatus": "Indeterminate"
}
]
}
This was implemented in a few recent commits, last one being ee5461d63e4b1a384c9be94d0c236be6065bd4e7
