855695 – geodns: anongit.geodns.gentoo.org CNAME RRset is not signed by any trusted keys

Bug 855695 - geodns: anongit.geodns.gentoo.org CNAME RRset is not signed by any trusted keys

Summary: geodns: anongit.geodns.gentoo.org CNAME RRset is not signed by any trusted keys

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Infrastructure
Classification:	Unclassified
Component:	Other (show other bugs)
Hardware:	All All

Importance:	Normal normal (vote)
Assignee:	Gentoo Infrastructure

URL:	https://dnssec-analyzer.verisignlabs....
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2022-07-02 08:56 UTC by Ogelpre
Modified:	2022-07-02 13:22 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ogelpre 2022-07-02 08:56:31 UTC

Hi all,

anongit.geodns.gentoo.org can not be resolve by validating dns resolvers.

Reproducible: Always

Steps to Reproduce:
Try to resolve anongit.geodns.gentoo.org through a validating dns resolver, for example openresolvers like ffmuc. One receives a servfail.

Actual Results:  
# dig anongit.geodns.gentoo.org @2001:678:ed0:f000::

; <<>> DiG 9.16.27 <<>> anongit.geodns.gentoo.org @2001:678:ed0:f000::
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 17869
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;anongit.geodns.gentoo.org.     IN      A

;; Query time: 15 msec
;; SERVER: 2001:678:ed0:f000::#53(2001:678:ed0:f000::)
;; WHEN: Sat Jul 02 10:54:26 CEST 2022
;; MSG SIZE  rcvd: 54


Expected Results:  
A valid RRSIG should be returned.

Comment 1 Thibaud CANALE 2022-07-02 09:20:54 UTC

Hello,

It looks like it's a DNSSEC issue, because trying its resolution using "dig" with the cd flag, it works:
> dig anongit.geodns.gentoo.org A → status: SERVFAIL
> dig +cd anongit.geodns.gentoo.org A → anongit.geodns.gentoo.org. 814	IN	CNAME	anongit.geodns-europe.gentoo.org.


And today it seams to have an impact on other services:
* rsync: https://dnsviz.net/d/rsync.gentoo.org/dnssec/
* dev: https://dnsviz.net/d/dev.gentoo.org/dnssec/

Comment 2 cyrillic 2022-07-02 09:51:37 UTC

I am seeing this too with IPV4 and bind-9.18 on my home router :

# dig anongit.geodns.gentoo.org

; <<>> DiG 9.19.1 <<>> anongit.geodns.gentoo.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 64716
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 20d4ba070ba727f90100000062c0146abe5f13592ea43f21 (good)
;; QUESTION SECTION:
;anongit.geodns.gentoo.org.	IN	A

;; Query time: 913 msec
;; SERVER: 192.168.36.1#53(192.168.36.1) (UDP)
;; WHEN: Sat Jul 02 05:48:26 EDT 2022
;; MSG SIZE  rcvd: 82

Comment 3 Paul Gover 2022-07-02 10:25:16 UTC

I'm getting the following; my setup has dnsmasq pointing at 9.9.9.9:

dig anongit.geodns.gentoo.org
;; Warning: Message parser reports malformed message packet.

; <<>> DiG 9.16.27 <<>> anongit.geodns.gentoo.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56570
;; flags: qr; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;anongit.geodns.gentoo.org.     IN      A

;; ANSWER SECTION:
.                       0       CLASS4096 OPT   10 8 W3t9qbp+o0o=

;; ADDITIONAL SECTION:
anongit.geodns.gentoo.org. 264  IN      A       148.251.78.52

;; Query time: 2 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Sat Jul 02 11:23:48 BST 2022
;; MSG SIZE  rcvd: 82

Comment 4 Paul Gover 2022-07-02 10:27:54 UTC

(In reply to Paul Gover from comment #3)
> ...
Sorry, meant to add, that means it appears to be working for me.

Comment 5 Sam James archtester

2022-07-02 11:33:55 UTC

Should be sorted now.