ncdns icon indicating copy to clipboard operation
ncdns copied to clipboard
verified publisher icon namecoin

Unbound reports SERVFAIL when ncdns has DNSSEC enabled

Open redblade7 opened this issue 7 years ago • 4 comments

(title courtesy of Jeremy)

I was trying to set up ncdns on my Windows 10 machine, after it downloaded the blockchain a day later I was getting SERVFAIL errors when attempting to resolve .bit domains (ICANN domains are fine).

The only way I was able to get ncdns to work was to edit DnssecTrigger\unbound.conf.d\ncdns-inst.conf, comment out:

trust-anchor-file: "C:\Program Files\ncdns\bit.key"

and add:

server: domain-insecure: bit.

As I was only playing around and guessing, I was not sure what I had done or what effect it would have, but Jeremy told me on IRC that what I did was disable DNSSEC (all NT services, Namecoin Core, and the dnssec-trigger systray icon are still running).

He suggested I go on Github, mention this situation and some .bit domains I was attempting to resolve.

Here are some examples of sites I was trying and getting SERVFAILs on before I made the change:

jamieweb.bit (this has a tutorial on use of ncdns with Linux which I was reading, I have not tested ncdns on Linux and was just reading it to learn about the software) redblade7.bit (goes to a hidden section on an ICANN domain of mine which auto redirects to my twitter page) redblade84.bit (same as above) roguecentral.bit (equivalent to coredumpcentral.org) coredumpcentral.bit (same as above)

A note on jamieweb.bit: it uses HTTPS with a self-signed certificate, which your browser will warn you about. The others all use HTTP.

redblade7 avatar Feb 28 '18 05:02 redblade7

IIRC @hlandau diagnosed this as a DNSSEC bug in madns, which is fixed now. So the fix should get pulled into the next ncdns release (assuming that no other issues are hiding there).

JeremyRand avatar Mar 24 '18 02:03 JeremyRand

@redblade7 Can you try with the latest released binaries and let us know if it's fixed?

JeremyRand avatar May 05 '18 03:05 JeremyRand

I don't use dnssec-trigger anymore, I just use ncdns and unbound side by side. This setup works on my Win10 and Gentoo desktops, but I was having the same problems on a freshly installed Kubuntu laptop.

Do you know of any DNSSEC .bit domains I can try, to see if DNSSEC is on?

redblade7 avatar May 05 '18 15:05 redblade7

Taking a closer look, this bug seems to only affect .bit domains which lack an ad flag while DNSSEC is enabled on Unbound. ICANN domains without the ad flag resolve the non-DNSSEC way, while .bit domains without the ad flag return SERVFAIL.

redblade7 avatar Oct 01 '18 11:10 redblade7