[Yeti DNS Discuss] Microsoft DNS Yeti root server doesn't speak DNSSEC?

Carsten Strotmann carsten at strotmann.de
Sun Jul 24 18:56:23 UTC 2016


UPDATE:

Problem solved (thanks to Greg Lindsay, Microsoft, see
http://lists.cloudapp.net/pipermail/windns-users/2016-July/000133.html ).

Yeti-dns02 now does answer with DNSSEC records again.

TIL: there is a "knob" in a Windows DNS server to enable/disable DNSSEC

-- Carsten


Carsten Strotmann wrote:
> Hi,
> 
> UPDATE:
> 
> I tried to reproduce the issue on two VMs with an identical Windows OS
> install. The issues did not appear even after all updates applied.
> 
> So a regression due to an Windows Update is unlikely.
> 
> I will now test the software tools I've installed to get the Yeti-DNS
> Monitoring going (Wireshark/TShark with WinPCAP, OpenSSH). Either one of
> these causes the DNSSEC to fail, or I have a working VM that I can use
> to switch out the disfunct Yeti-DNS02 instance.
> 
> -- Carsten
> 
> 
> Carsten Strotmann wrote:
>> Hi,
>>
>> I've been able to dig deeper into the Windows 2016 DNSSEC issue.
>>
>> I have a Windows 2016 machine in a VM that is working as expected (=
>> DNSSEC data from the yeti-zone, as well as other DNSSEC zones hosted on
>> the server, are returned):
>>
>>
>> $ dig @172.22.1.150 . soa +dnssec
>> ; <<>> DiG 9.10.4-P1 <<>> @172.22.1.150 . soa +dnssec
>> ; (1 server found)
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47761
>> ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
>> ;; WARNING: recursion requested but not available
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags: do; udp: 4000
>> ;; QUESTION SECTION:
>> ;.                              IN      SOA
>>
>> ;; ANSWER SECTION:
>> .                       86400   IN      SOA     www.yeti-dns.org.
>> hostmaster.yeti-dns.org. 2016072400 1800 900 604800 86400
>> .                       86400   IN      RRSIG   SOA 8 0 86400
>> 20160823050103 20160724050103 25083 .
>> jTC34IPlGyKGRCXVW3yTM8r3WmpEUr1KXcq18abiWTD4I667quB36Fv/
>> zmIHHjsAB4GhEfnIh3u55Jerl+Sgs4VtjQuneEUxOiGGE7FH2afoTF6y
>> XtcCLJp5rO/JjeGeVtWhTNe7BsrHhhbFtKcnFAGCTlCncF9rbDzVfwrA
>> E27UGzeRpIXU/w5dq0UPiSaFBVonJ67+wvxWv6CrS9O/jB/ra3yhjgdC
>> 6xSfwdEGgEDgOYBsJPUmiDtqsPvbnZYFgejAA91UM4OWa04acl6al63U
>> lqRkuqtpoHBAUaSYOUNAUrbZpQaAp0mW/IzgY8hTqs34n49IxpTQJ9qD ksYk5w==
>>
>> ;; Query time: 0 msec
>> ;; SERVER: 172.22.1.150#53(172.22.1.150)
>> ;; WHEN: Sun Jul 24 13:12:09 CEST 2016
>> ;; MSG SIZE  rcvd: 378
>>
>>
>> The same response from "yeti-dns02.dnsworkshop.org" is missing the RRSIGS
>>
>> $ dig @yeti-dns02.dnsworkshop.org . soa +dnssec
>>
>> ; <<>> DiG 9.10.4-P1 <<>> @yeti-dns02.dnsworkshop.org . soa +dnssec
>> ; (1 server found)
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63829
>> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>> ;; WARNING: recursion requested but not available
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags: do; udp: 4000
>> ;; QUESTION SECTION:
>> ;.                              IN      SOA
>>
>> ;; ANSWER SECTION:
>> .                       86400   IN      SOA     www.yeti-dns.org.
>> hostmaster.yeti-dns.org. 2016072400 1800 900 604800 86400
>>
>> ;; Query time: 87 msec
>> ;; SERVER: 2001:19f0:0:1133::53#53(2001:19f0:0:1133::53)
>> ;; WHEN: Sun Jul 24 13:19:31 CEST 2016
>> ;; MSG SIZE  rcvd: 91
>>
>> In both cases, the RRSIGs are in the zonefile and can be seen in the
>> Windows DNS-Manager snap-in.
>>
>> I've posted the story of this issue on the WinDNS Mailing list
>> (http://lists.cloudapp.net/pipermail/windns-users/2016-July/000131.html).
>>
>> I'll report as soon as I have more information.
>>
>> Best regards
>>
>> Carsten
>>
>>
>> On 07/06/16 00:27, Carsten Strotmann wrote:
>>> Hi Shane,
>>>
>>> On Tue, 5 Jul 2016 16:23:25 +0200
>>> Shane Kerr <shane at biigroup.cn> wrote:
>>>
>>>> Carsten,
>>>> It looks like the Microsoft DNS Yeti root server doesn't speak
>>>> DNSSEC. :(
>>> this is very strange. I'm pretty sure it worked when I've initially
>>> setup the server.
>>>
>>> I did some tests today, and the facts found are:
>>>
>>>  * the RRSIGs and other DNSSEC records exist in the zone and are
>>>    visible in the GUI manager for the DNS server 
>>>  * the server does not return DNSSEC records in queries nor in AXFR.
>>>    AXFR is now enabled, you can try.
>>>  * the RRSIGs and other DNSSEC records are returned on explicit queries
>>>    like "dig @yeti-dns02.dnsworkshop.org . rrsig"
>>>  * the same effect appears with non-root primary zones that have been
>>>    signed on the server using the Microsoft build-in DNSSEC signer. So
>>>    it's not limited to the (yeti-) root-zone
>>>
>>> It might be a regression introduced by a recent software update on the
>>> server. 
>>>
>>> Do you have monitoring information if and when the DNSSEC information
>>> stopped from yeti-dns02?
>>>
>>> I need to investigate this further in a test lab where I still have an
>>> older version of the Windows 2016 DNS server (the same version that was
>>> initially running on yeti-dns02).
>>>
>>> I will also check with Microsoft. I will also reach out to Microsoft
>>> about the two DNS protocol issues that you've discussed with Paul.
>>>
>>> Thanks for reporting this.
>>>
>>>
>>>> Surely this is something that can be fixed by turning a knob? :)
>>> None that I'm aware of. MS DNS 2012 onwards serves DNSSEC for every zone
>>> with DNSSEC records. The GUI even marks the signed primary zone as
>>> DNSSEC signed, but still all DNSSEC records are not send on queries and
>>> AXFR. 
>>>
>>> Restarting the service and rebooting the server did *not* change the
>>> situation.
>>>
>>> Greetings
>>>
>>> Carsten
>>> _______________________________________________
>>> discuss mailing list
>>> discuss at lists.yeti-dns.org
>>> http://lists.yeti-dns.org/mailman/listinfo/discuss
>>>
>> _______________________________________________
>> discuss mailing list
>> discuss at lists.yeti-dns.org
>> http://lists.yeti-dns.org/mailman/listinfo/discuss
> 
> _______________________________________________
> discuss mailing list
> discuss at lists.yeti-dns.org
> http://lists.yeti-dns.org/mailman/listinfo/discuss

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 883 bytes
Desc: OpenPGP digital signature
URL: <http://lists.yeti-dns.org/pipermail/discuss/attachments/20160724/8b6bc566/attachment.bin>


More information about the discuss mailing list