kresd forgetting about DNSSEC?
Today, I had a (libunbound-based) validating stub resolver fail at resolving various domain names (not necessarily signed with DNSSEC), most under the “net.” TLD, using my Turris Omnia (knot-resolver 1.2.6-3) as a recursive resolver.
I unfortunately don't have much data to debug, and I eventually solved the issue by clearing kresd's cache.
The only hard data I have is that kresd's answer to a DS query before cleaning the cache was missing the ad
flag and RRSIG
records:
# dig +dnssec @192.168.0.1 DS net.
; <<>> DiG 9.10.3-P4-Debian <<>> +dnssec @192.168.0.1 DS net.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61639
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;net. IN DS
;; ANSWER SECTION:
net. 7373 IN DS 35886 8 2 7862B27F5F516EBE19680444D4CE5E762981931842C465F00236401D 8BD973EE
;; Query time: 1 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Mon Jul 31 11:50:04 CEST 2017
;; MSG SIZE rcvd: 80
Considering the validity period of the current signature, I wonder if the previous one expired but kresd failed to update it because the DS
record itself hadn't expired yet from its cache?