DNSSEC validation failure db.ripe.net. DS
My local Knot Resolver instance seems to be unable to look up apps.db.ripe.net
, logging kresd[1241]: DNSSEC validation failure db.ripe.net. DS
for each attempt.
https://dnsviz.net/d/apps.db.ripe.net/dnssec/ and https://dnssec-debugger.verisignlabs.com/apps.db.ripe.net seems to think that things are in order, so does the upstream recursive resolver (running ISC BIND with validation enabled):
$ dig @87.238.33.1 apps.db.ripe.net ✔
; <<>> DiG 9.11.13-RedHat-9.11.13-3.fc31 <<>> @87.238.33.1 apps.db.ripe.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8271
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;apps.db.ripe.net. IN A
;; ANSWER SECTION:
apps.db.ripe.net. 21260 IN A 193.0.6.142
;; Query time: 2 msec
;; SERVER: 87.238.33.1#53(87.238.33.1)
;; WHEN: fr. des. 13 14:38:55 CET 2019
;; MSG SIZE rcvd: 61
I've tried restarting kresd
and clearing the cache, no go.
/etc/knot-resolver/kresd.conf
contains:
-- vim:syntax=lua:set ts=4 sw=4:
-- Refer to manual: http://knot-resolver.readthedocs.org/en/stable/daemon.html#configuration
-- Network interface configuration: see kresd.systemd(7)
-- For DNS-over-HTTPS and web management when using http module
-- modules.load('http')
-- http.config({
-- cert = '/etc/knot-resolver/mycert.crt',
-- key = '/etc/knot-resolver/mykey.key',
-- tls = true,
-- })
-- To disable DNSSEC validation, uncomment the following line (not recommended)
-- trust_anchors.remove('.')
-- Load useful modules
modules = {
'hints > iterate', -- Load /etc/hosts and allow custom root hints
'stats', -- Track internal statistics
'predict', -- Prefetch expiring/frequent records
}
-- Cache size
cache.size = 100 * MB
trust_anchors.set_insecure({'lan'})
policy.add(policy.suffix(policy.FORWARD('192.168.1.1'),{todname('lan')}))
policy.add(policy.all(policy.FORWARD('87.238.33.1')))
modules.load('bogus_log')
I'm using the Knot Resolver binaries included with Fedora 31 (knot-resolver-4.2.2-2.fc31.x86_64
). I'm aware it's not the last available release, however, there's no mention of any bug related to DNSSEC validation being fixed in v4.3.0 at https://gitlab.labs.nic.cz/knot/knot-resolver/-/tags