Issues with DNSSEC latest few days

DNS & Network 1.1.1.1
#1

Hello,

Im using local recursor for my network (BIND) and have set it to forward mode to Cloudflare DNS server (using both IPv4 and IPv6). I also have dnssec validation turned on and last few days i have major problems with cloudflare dns. Right after flushing local resolver and trying to do some requests…

04-Feb-2020 13:02:45.178 general: info: received control channel command 'flush'
04-Feb-2020 13:02:45.179 general: info: flushing caches in all views succeeded
04-Feb-2020 13:02:57.891 dnssec: info: validating arpa/DNSKEY: got insecure response; parent indicates it should be secure
04-Feb-2020 13:02:57.922 dnssec: info: validating arpa/DNSKEY: got insecure response; parent indicates it should be secure
04-Feb-2020 13:02:57.936 dnssec: info: validating arpa/DNSKEY: got insecure response; parent indicates it should be secure
04-Feb-2020 13:02:57.965 dnssec: info: validating arpa/DNSKEY: got insecure response; parent indicates it should be secure
04-Feb-2020 13:02:57.973 dnssec: info:   validating ip6.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:02:57.980 dnssec: info:   validating ip6.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:02:58.028 dnssec: info:   validating ip6.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:02:58.807 dnssec: info:   validating ip6.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:02:58.836 dnssec: info: validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:02:58.842 dnssec: info:   validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:02:58.853 dnssec: info:   validating ip6.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:02:58.865 dnssec: info:   validating ip6.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:02:58.894 dnssec: info:   validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:02:59.026 dnssec: info:   validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:02:59.105 dnssec: info:   validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:02:59.631 dnssec: info:   validating ip6.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:00.401 dnssec: info:   validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:00.916 dnssec: info:   validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:02.020 dnssec: info:   validating ip6.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:02.580 dnssec: info:   validating ip6.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:03.038 dnssec: info:   validating ip6.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:03.191 dnssec: info:   validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:03.800 dnssec: info:   validating ip6.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:03.807 dnssec: info:   validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:04.489 dnssec: info:   validating ip6.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:04.501 dnssec: info:   validating ip6.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:04.512 dnssec: info:   validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:04.543 dnssec: info:   validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:04.572 dnssec: info:   validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:04.583 dnssec: info:   validating ip6.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:05.063 dnssec: info:   validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:05.554 dnssec: info:   validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:12.480 dnssec: info:   validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:25.724 dnssec: info: validating ntp.se/A: got insecure response; parent indicates it should be secure
04-Feb-2020 13:03:25.733 dnssec: info: validating ntp.se/A: got insecure response; parent indicates it should be secure
04-Feb-2020 13:03:25.809 dnssec: info: validating ntp.se/DNSKEY: got insecure response; parent indicates it should be secure
04-Feb-2020 13:03:25.817 dnssec: info: validating ntp.se/DNSKEY: got insecure response; parent indicates it should be secure
04-Feb-2020 13:03:25.866 dnssec: info: validating ntp.se/DNSKEY: got insecure response; parent indicates it should be secure
04-Feb-2020 13:03:25.911 dnssec: info: validating ntp.se/DNSKEY: got insecure response; parent indicates it should be secure
04-Feb-2020 13:03:31.217 dnssec: info:   validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:44.155 dnssec: info:   validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:03:45.943 dnssec: info: validating dash.cloudflare.com/DNSKEY: got insecure response; parent indicates it should be secure
04-Feb-2020 13:03:45.961 dnssec: info: validating dash.cloudflare.com/A: got insecure response; parent indicates it should be secure
04-Feb-2020 13:03:45.992 dnssec: info: validating dash.cloudflare.com/DNSKEY: got insecure response; parent indicates it should be secure
04-Feb-2020 13:03:46.000 dnssec: info: validating dash.cloudflare.com/DNSKEY: got insecure response; parent indicates it should be secure
04-Feb-2020 13:03:47.328 dnssec: info: validating dev/DNSKEY: got insecure response; parent indicates it should be secure
04-Feb-2020 13:04:07.738 dnssec: info:   validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:04:35.668 dnssec: info:   validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:05:10.903 dnssec: info:   validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)
04-Feb-2020 13:05:24.419 dnssec: info:   validating in-addr.arpa/DS: bad cache hit (arpa/DNSKEY)

This is going on for last 4-5 days… every day there are more errors for more domains… went thru logs and it seems this is where it started (logs from 28th & 30th only):

28-Jan-2020 20:33:47.532 dnssec: info:   validating one/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 06:51:08.446 dnssec: info:   validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 07:47:02.833 dnssec: info:   validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 07:47:02.837 dnssec: info:   validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 07:47:03.604 dnssec: info:   validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 07:47:03.891 dnssec: info:   validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 07:47:03.895 dnssec: info:   validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 07:50:47.412 dnssec: info:   validating am/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 07:50:47.417 dnssec: info:   validating am/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 09:18:24.840 dnssec: info: validating mobi/DNSKEY: got insecure response; parent indicates it should be secure
30-Jan-2020 09:48:07.246 dnssec: info:   validating lt/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 16:10:40.144 dnssec: info: validating aco.net/DNSKEY: got insecure response; parent indicates it should be secure
30-Jan-2020 16:10:40.289 dnssec: info:   validating aco.net/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 16:10:40.658 dnssec: info: validating ts2.aco.net/A: got insecure response; parent indicates it should be secure
30-Jan-2020 16:11:43.357 dnssec: info:   validating 4.1.1.0.0.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 16:11:45.232 dnssec: info:   validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 16:11:45.773 dnssec: info: validating 0.a.2.ip6.arpa/DNSKEY: got insecure response; parent indicates it should be secure
30-Jan-2020 16:11:46.144 dnssec: info:   validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 16:11:46.735 dnssec: info:   validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 16:11:47.875 dnssec: info:   validating 6.0.1.0.0.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 16:11:48.203 dnssec: info:   validating 6.0.1.0.0.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 16:11:48.977 dnssec: info: validating 6.0.1.0.0.2.ip6.arpa/DNSKEY: got insecure response; parent indicates it should be secure
30-Jan-2020 16:11:49.568 dnssec: info:   validating 6.0.1.0.0.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 16:11:50.908 dnssec: info:   validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 16:11:51.653 dnssec: info:   validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 16:36:17.298 dnssec: info: validating app.uriports.com/A: got insecure response; parent indicates it should be secure
30-Jan-2020 17:04:25.562 dnssec: info: validating 0.a.2.ip6.arpa/DNSKEY: got insecure response; parent indicates it should be secure
30-Jan-2020 17:04:25.632 dnssec: info: validating 0.a.2.ip6.arpa/DNSKEY: got insecure response; parent indicates it should be secure
30-Jan-2020 17:04:25.635 dnssec: info: validating 0.a.2.ip6.arpa/DNSKEY: got insecure response; parent indicates it should be secure
30-Jan-2020 17:33:10.734 dnssec: info:   validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 17:33:10.738 dnssec: info:   validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 17:33:13.504 dnssec: info:   validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 17:33:13.978 dnssec: info:   validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 17:33:14.550 dnssec: info: validating aco.net/DNSKEY: got insecure response; parent indicates it should be secure
30-Jan-2020 17:33:14.867 dnssec: info:   validating aco.net/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 17:33:14.935 dnssec: info:   validating aco.net/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 17:33:15.022 dnssec: info: validating ts2.aco.net/AAAA: got insecure response; parent indicates it should be secure
30-Jan-2020 18:26:03.898 dnssec: info:   validating guru/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 18:26:03.943 dnssec: info:   validating guru/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 18:26:04.061 dnssec: info: validating guru/DNSKEY: got insecure response; parent indicates it should be secure
30-Jan-2020 18:26:04.065 dnssec: info: validating guru/DNSKEY: got insecure response; parent indicates it should be secure
30-Jan-2020 19:01:46.245 dnssec: info: validating mobi/DNSKEY: got insecure response; parent indicates it should be secure
30-Jan-2020 19:04:11.574 dnssec: info: validating 0.a.2.ip6.arpa/DNSKEY: got insecure response; parent indicates it should be secure
30-Jan-2020 19:04:11.998 dnssec: info:   validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 19:04:14.120 dnssec: info:   validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 19:05:42.872 dnssec: info: validating aco.net/AAAA: got insecure response; parent indicates it should be secure
30-Jan-2020 19:14:25.010 dnssec: info: validating t-2.com/DNSKEY: got insecure response; parent indicates it should be secure
30-Jan-2020 19:52:26.501 dnssec: info:   validating sc/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 20:20:55.464 dnssec: info:   validating in/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 21:07:12.520 dnssec: info:   validating rootonline.de/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 21:07:12.582 dnssec: info: validating rootonline.de/DNSKEY: got insecure response; parent indicates it should be secure
30-Jan-2020 21:07:12.687 dnssec: info: validating viewer-geolocation.twitch-ext.rootonline.de/AAAA: got insecure response; parent indicates it should be secure
30-Jan-2020 21:30:01.495 dnssec: info:   validating promo/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 21:30:01.625 dnssec: info:   validating promo/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 21:30:02.121 dnssec: info: validating promo/DNSKEY: got insecure response; parent indicates it should be secure
30-Jan-2020 21:30:02.513 dnssec: info: validating promo/DNSKEY: got insecure response; parent indicates it should be secure
30-Jan-2020 22:49:42.586 dnssec: info: validating agency/DNSKEY: got insecure response; parent indicates it should be secure
30-Jan-2020 23:10:29.451 dnssec: info:   validating 143.221.in-addr.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 23:25:05.352 dnssec: info:   validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 23:25:06.167 dnssec: info:   validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 23:25:06.171 dnssec: info:   validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 23:25:06.376 dnssec: info:   validating 0.a.2.ip6.arpa/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 23:25:08.698 dnssec: info: validating 150.in-addr.arpa/DNSKEY: got insecure response; parent indicates it should be secure
30-Jan-2020 23:25:51.766 dnssec: info:   validating test-ns-signed.internet.nl/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 23:25:51.829 dnssec: info:   validating test-ns-signed.internet.nl/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 23:25:51.982 dnssec: info:   validating test-ns-signed.internet.nl/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 23:25:51.990 dnssec: info:   validating test-ns-signed.internet.nl/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 23:25:51.998 dnssec: info:   validating test-ns-signed.internet.nl/SOA: got insecure response; parent indicates it should be secure
30-Jan-2020 23:46:42.503 dnssec: info:   validating instant-gaming.com/SOA: got insecure response; parent indicates it should be secure

and if this helps, DNS over IPv4 uses Zagreb,Croatia datacenter and IPv6 uses Austrian one.

#2

Also changing it to google DNS fixes issue and/or turning dnssec validation off (but this is not the point)… i really find it interesting there is in general so many problems with dnssec still this days… if some random page doesnt work for few days, check dns server logs, because its a good chance you will find something wrong with resolving it (or is resolving very slowly)… honestly, in last year when dnssec is more adopted, there was few times i was asking my self if i should just turn off dnssec validation, because if admins are not putting effort in keeping it up, whats the point? expired keys, KSK is top domain, but no dnssec in subdomain and things like that… not maintained dnssec literally breaks internet, thats why most ISPs in my country have it turned off… sad thing is, KSKs “should” be rolled over every few years (the part you maybe need to “bother” someone else with) and ZSKs, you can roll over every couple of months if you have access to DNS servers automatically… if i can do it for my worthless home domain, then why admins that are paid for doing things like that cant do it for way more important domains…

#3

Please find an reply in English language below this one …

Prema statistici, vidi ovdje stanje podrške, provjere i ispravnosti DNSSEC-a za naše ISP-ovce:
https://stats.labs.apnic.net/dnssec/HR

Drugim riječima, slabo. DNSSEC podršku koliko sam ja dobio odgovore na mail, službeno niti jedan ISP u RH ne podržava. Možda se je nešto promijenilo u zadnjih godinu dana od tada, međutim čisto sumnjam.

Ujedno, ako imaš DNSSEC na domeni, i ideš sa Cloudflare-om, onda moraš imati mogućnost i podršku za algoritam 13-ticu.

Od prije cca. 5-6 mjeseci DNSSEC 13-tica je uvedena za .hr ccTLD (uključ. .com.hr, from.hr, iz.hr, .hr).

Koji web preglednik koristiš pritom?

Ja na imam Cloudflare 1.1.1.1 i 1.0.0.1 dodano pod DNS servere na ruteru, mrežnom centru na Windows-ima te u Web pregledniku.
Sve mi funkcionira ok.

  • Tele 2 koristim (vidljivo, koji ima i najviši postotak % validacije prema poveznici iz gornje statistike)

Da li si radio restart rutera ili?

According to DNSSEC validation statistics for Croatia, please find the current and actual state of it’s support for validation of Croatian ISPs on the link below:
https://stats.labs.apnic.net/dnssec/HR

In other words, weak support. DNSSEC support as far as I received answers to the e-mail inquiries, officially no ISP in the Republic of Croatia supports in general. Maybe something has changed in the last year since then, however, I doubt it.

Also, if you have DNSSEC on your domain, and you go with Cloudflare, then you need to have the ability and support for the algorithm 13 on the domain and registar.

From approx. 5-6 months before, DNSSEC 13 was introduced for .hr ccTLD (incl. .com.hr, from.hr, iz.hr, .hr).

Which Web browser are you using?

I have Cloudflare 1.1.1.1 and 1.0.0.1 added under the DNS servers on the router interface, the network connection in network center at Windows OS, and in the Web browser using Cloudflare on FireFox.
Everything works ok for me.

  • I use Tele 2 (apparently, which has the highest percentage of validation according to the link from the above statistics)

Did you restart your router or some other?

#4

Vrlo vjerojatno u pitanju npr. kod bind9-tke ili Apache-a, sada bi to već trebalo biti "po defaultu.
Međutim, ili isključiti ili koristiti drugi resolver?:

dnssec-enable no;
dnssec-validation no;

Ako želimo to koristiti, onda vjerujem moramo gasiti forwarder?

options {
        directory "/var/cache/bind";
        //forwarders {
        //      8.8.8.8;
        //};

        dnssec-validation auto;
        dnssec-enable yes;
        dnssec-lookaside auto;
};

Da, čudan je taj internet.

Most likely in the case of bind9 or Apache, for example, now it should already be "by default.
However, You can either use resolvers that support DNSSEC or temporarily disable the feature on your server.

dnssec-enable no;
dnssec-validation no;

If you do want to use DNSSEC in this manner, then disable your forwarder in named.conf.options:

options {
        directory "/var/cache/bind";
        //forwarders {
        //      8.8.8.8;
        //};

        dnssec-validation auto;
        dnssec-enable yes;
        dnssec-lookaside auto;
};

Yes, the Internet is a weird place :slight_smile:

#5