node-dnssec-name-shame icon indicating copy to clipboard operation
node-dnssec-name-shame copied to clipboard

Published 20 hours ago verified publisher icon joelpurra

Doesn't seem to understand algo 16 (and IPv6-only domains?)

Open mdavids opened this issue 4 years ago • 1 comments

I'm pretty sure dnslabs.nl does DNSSEC, however, the URL below says it doesn't.

https://dnssec-name-and-shame.com/domain/dnslabs.nl

mdavids avatar Sep 29 '21 21:09 mdavids

@mdavids: hmm, yes. Admittedly dnssec-name-and-shame (DNAS) isn't getting as much attention as it needs sometimes, nor is the upstream getdns library.

  • https://getdnsapi.net/

I don't think ipv6 should be an issue, since each record type is looked up separately. (Click "DNSSEC lookup details" at the top of the DNAS results page to verify.) One working counter-example, from your website, is doesnotwork.eu.

  • https://dnssec-name-and-shame.com/domain/doesnotwork.eu

Regarding ed448 I'm not as sure. The test domain ed448.no does not validate, so seems something is broken.

  • https://dnssec-name-and-shame.com/domain/ed448.no
  • https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions#Algorithms

The algorithm type is supported in getdns since v1.5.0 when using openssl v1.1.1. The DNAS server is running ubuntu with v1.6.0 and v1.1.1, but the ubuntu/debian package overrides openssl and uses gnutls instead. This disables ed448, because nettle (via gnutls) didn't support it at the time getdns implemented gnutls support.

  • https://getdnsapi.net/releases/getdns-1-5-0/
  • https://salsa.debian.org/dns-team/getdns/-/blob/2ca99ce0eb9926cd6b6968ad93cb7317f32488da/ChangeLog#L34-36
  • https://github.com/getdnsapi/getdns/issues/460
  • https://github.com/getdnsapi/getdns/blob/1f2aa585fc113e34c634887bc00c492b8d38604f/CMakeLists.txt#L440-L448

So it seems fixable by either using a custom getdns build on the DNAS server (I am personally against this, harder to maintain), convincing ubuntu/debian package maintainers to switch back to openssl (seems less likely), or upgrading getdns' support for ed448 now that (some versions of) nettle supports it (seems possible).

As mentioned, the getdns project hasn't received much attention recently, but on 2021-06-04 (about four months ago) they promised to make a new release every three months.

  • https://getdnsapi.net/releases/getdns-1-7-0/

It's alive! We finally have a new 1.7.0 release of getdns. Sorry that this has taken so long. We promise that a next release will not take this long again. In fact, from now on we are committing ourselves to do new releases at least every three months. You can hold us to that!

With some lobbying, maybe broader ed448 support can become part of the new release?

joelpurra avatar Sep 30 '21 12:09 joelpurra