hnsd icon indicating copy to clipboard operation
hnsd copied to clipboard

Published 20 hours ago verified publisher icon handshake-org

*.co domains do not resolve, dig times out.

Open rithvikvibhu opened this issue 3 years ago • 9 comments

List of TLDs that don't resolve as of now (not complete):

  • co (t.co, go.co)
  • horse (https://www.xrays.horse/examinations/)
  • cloud (https://console.hetzner.cloud/)

Domains under the co TLD do not resolve. Ex: t.co, go.co

Built from master branch, updated tld.h generated with hs-names. Still no luck.

This is what happens in hnsd:

  1. Request comes in:
rs: query
rs:   id=600
rs:   labels=2
rs:   name=go.co.
rs:   type=1
rs:   class=1
rs:   edns=1
rs:   dnssec=0
rs:   tld=co
rs:   addr=127.0.0.1:58007
  1. No response, dig times out
  2. After 30-60 secs, receive answer in hnsd:
rs: received answer for: go.co.
rs:   rcode: 0
rs:   havedata: 1
rs:   nxdomain: 0
rs:   secure: 0
rs:   bogus: 1
rs:   why_bogus: validation failure <go.co. A IN>: key for validation co. is marked as invalid because of a previous validation failure <t.co. A IN>: No DNSKEY record for key co. while building chain of trust
  1. Next query with dig to the same domain works (gets IP, fast, mostly from cache)

rithvikvibhu avatar May 13 '22 15:05 rithvikvibhu

Not just co, but .horse too. Ex: https://www.xrays.horse/examinations/ (don't ask)

Will try to script and get a complete list of what's not working. If it's related to updating ICANN TLD data, then can add it as a test that runs regularly and we know when to refresh.

rithvikvibhu avatar May 13 '22 18:05 rithvikvibhu

Same with .us for me.

mxroute avatar Jul 31 '22 20:07 mxroute

Hi I got the same problem. the .cool does not work too. Hope it can be repaired soon.

v1xingyue avatar Aug 27 '22 10:08 v1xingyue

Wrote a script to go through all ICANN TLDs and find SERVFAILs: https://gist.github.com/rithvikvibhu/90e4202a572b9633b1c6a05090dd6191

hnsd (well, fingertip) couldn't handle failing requests in series (no concurrent queries at all). Added a 5 second sleep after encountering a SERVFAIL to go slow. Then hnsd core dumped segmentation fault. (」°ロ°)」

So no list of TLDs, but got a reproducible segfault :upside_down_face:

rithvikvibhu avatar Aug 27 '22 13:08 rithvikvibhu

Probably part of the hard coded root zone issue: https://github.com/handshake-org/hnsd/issues/91

pinheadmz avatar Aug 27 '22 13:08 pinheadmz

hnsd (well, fingertip) couldn't handle failing requests in series (no concurrent queries at all). Added a 5 second sleep after encountering a SERVFAIL to go slow. Then hnsd core dumped segmentation fault. (」°ロ°)」

That sucks since it's reproducible it might be worth creating an issue for that so we can track it. Slightly off-topic but I'm seriously considering a Go or a rust version. Maintaining hnsd is just too expensive. We could write several hnsds by the time it takes to develop a few features for the C version. We also have to deal with crashes, memory leaks and other C gotchas that easily introduce security vulnerabilities. Tor is moving away from C for the same reasons. From tor https://blog.torproject.org/announcing-arti/ :

"For us, these problems mean that programming in C is a slow and painstaking process. Everything we write takes more code than we'd like it to, and we need to double-check even the safest-looking code to make sure it doesn't fall prey to any of C's list of enormous gotchas. This slows us down seriously, and increases the cost of adding new features."

Also, see https://www.memorysafety.org/ for an initiative from ISRG/letsencrypt to move critical infrastructure to memory safe languages.

Probably part of the hard coded root zone issue: https://github.com/handshake-org/hnsd/issues/91

Anyone tried updating the hardcoded zone file to check if it'll resolve this issue?

buffrr avatar Aug 27 '22 14:08 buffrr

I'm all for a rewrite in rust! There's rsd for types/structs/etc. but is incomplete/outdated when I tried to use it.

Anyone tried updating the hardcoded zone file to check if it'll resolve this issue?

I had mentioned in the issue that I had tried with an updated tld.h and it hadn't solved the issue, but just tried it again and everything seems to work. No servfail and cool, work domains resolve properly (and other domains faster than before). Maybe hadn't copied over hnsd to fingertip last time, idk.

rithvikvibhu avatar Aug 27 '22 14:08 rithvikvibhu

I'm all for a rewrite in rust! There's rsd for types/structs/etc. but is incomplete/outdated when I tried to use it.

LFG! I might start porting some stuff from that and creating a repo no promises though. Happy to see other devs laying the groundwork for that too.

No servfail and cool, work domains resolve properly (and other domains faster than before). Maybe hadn't copied over hnsd to fingertip last time, idk.

Interesting also keep in mind that Fingertip uses a PAC script for the proxy to skip all ICANN TLDs so they don't go through hnsd at all (for several reasons). So i'm assuming you're querying it directly.

buffrr avatar Aug 27 '22 14:08 buffrr

Probably the fastest fix for this is passing a config file to the unbound recursive that forwards all icann TLDs to 1.1.1.1 or whatever. We can manually remove names like gay and ink that have claimed

pinheadmz avatar Aug 27 '22 15:08 pinheadmz