[Yeti DNS Discuss] Microsoft DNS Yeti root server doesn't speak DNSSEC?

Shane Kerr shane at biigroup.cn
Mon Jul 25 09:49:53 UTC 2016


Carsten,

Wow, good news! :)

(And now you know the secret magic words to tell Windows DNS server in
the future, too... bonus!)

Cheers,

--
Shane

At 2016-07-24 20:56:23 +0200
Carsten Strotmann <carsten at strotmann.de> wrote:

> UPDATE:
> 
> Problem solved (thanks to Greg Lindsay, Microsoft, see
> http://lists.cloudapp.net/pipermail/windns-users/2016-July/000133.html ).
> 
> Yeti-dns02 now does answer with DNSSEC records again.
> 
> TIL: there is a "knob" in a Windows DNS server to enable/disable DNSSEC
> 
> -- Carsten
> 
> 
> Carsten Strotmann wrote:
> > Hi,
> > 
> > UPDATE:
> > 
> > I tried to reproduce the issue on two VMs with an identical Windows OS
> > install. The issues did not appear even after all updates applied.
> > 
> > So a regression due to an Windows Update is unlikely.
> > 
> > I will now test the software tools I've installed to get the Yeti-DNS
> > Monitoring going (Wireshark/TShark with WinPCAP, OpenSSH). Either one of
> > these causes the DNSSEC to fail, or I have a working VM that I can use
> > to switch out the disfunct Yeti-DNS02 instance.
> > 
> > -- Carsten
> > 
> > 
> > Carsten Strotmann wrote:  
> >> Hi,
> >>
> >> I've been able to dig deeper into the Windows 2016 DNSSEC issue.
> >>
> >> I have a Windows 2016 machine in a VM that is working as expected (=
> >> DNSSEC data from the yeti-zone, as well as other DNSSEC zones hosted on
> >> the server, are returned):
> >>
> >>
> >> $ dig @172.22.1.150 . soa +dnssec
> >> ; <<>> DiG 9.10.4-P1 <<>> @172.22.1.150 . soa +dnssec
> >> ; (1 server found)
> >> ;; global options: +cmd
> >> ;; Got answer:
> >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47761
> >> ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
> >> ;; WARNING: recursion requested but not available
> >>
> >> ;; OPT PSEUDOSECTION:
> >> ; EDNS: version: 0, flags: do; udp: 4000
> >> ;; QUESTION SECTION:
> >> ;.                              IN      SOA
> >>
> >> ;; ANSWER SECTION:
> >> .                       86400   IN      SOA     www.yeti-dns.org.
> >> hostmaster.yeti-dns.org. 2016072400 1800 900 604800 86400
> >> .                       86400   IN      RRSIG   SOA 8 0 86400
> >> 20160823050103 20160724050103 25083 .
> >> jTC34IPlGyKGRCXVW3yTM8r3WmpEUr1KXcq18abiWTD4I667quB36Fv/
> >> zmIHHjsAB4GhEfnIh3u55Jerl+Sgs4VtjQuneEUxOiGGE7FH2afoTF6y
> >> XtcCLJp5rO/JjeGeVtWhTNe7BsrHhhbFtKcnFAGCTlCncF9rbDzVfwrA
> >> E27UGzeRpIXU/w5dq0UPiSaFBVonJ67+wvxWv6CrS9O/jB/ra3yhjgdC
> >> 6xSfwdEGgEDgOYBsJPUmiDtqsPvbnZYFgejAA91UM4OWa04acl6al63U
> >> lqRkuqtpoHBAUaSYOUNAUrbZpQaAp0mW/IzgY8hTqs34n49IxpTQJ9qD ksYk5w==
> >>
> >> ;; Query time: 0 msec
> >> ;; SERVER: 172.22.1.150#53(172.22.1.150)
> >> ;; WHEN: Sun Jul 24 13:12:09 CEST 2016
> >> ;; MSG SIZE  rcvd: 378
> >>
> >>
> >> The same response from "yeti-dns02.dnsworkshop.org" is missing the RRSIGS
> >>
> >> $ dig @yeti-dns02.dnsworkshop.org . soa +dnssec
> >>
> >> ; <<>> DiG 9.10.4-P1 <<>> @yeti-dns02.dnsworkshop.org . soa +dnssec
> >> ; (1 server found)
> >> ;; global options: +cmd
> >> ;; Got answer:
> >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63829
> >> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> >> ;; WARNING: recursion requested but not available
> >>
> >> ;; OPT PSEUDOSECTION:
> >> ; EDNS: version: 0, flags: do; udp: 4000
> >> ;; QUESTION SECTION:
> >> ;.                              IN      SOA
> >>
> >> ;; ANSWER SECTION:
> >> .                       86400   IN      SOA     www.yeti-dns.org.
> >> hostmaster.yeti-dns.org. 2016072400 1800 900 604800 86400
> >>
> >> ;; Query time: 87 msec
> >> ;; SERVER: 2001:19f0:0:1133::53#53(2001:19f0:0:1133::53)
> >> ;; WHEN: Sun Jul 24 13:19:31 CEST 2016
> >> ;; MSG SIZE  rcvd: 91
> >>
> >> In both cases, the RRSIGs are in the zonefile and can be seen in the
> >> Windows DNS-Manager snap-in.
> >>
> >> I've posted the story of this issue on the WinDNS Mailing list
> >> (http://lists.cloudapp.net/pipermail/windns-users/2016-July/000131.html).
> >>
> >> I'll report as soon as I have more information.
> >>
> >> Best regards
> >>
> >> Carsten
> >>
> >>
> >> On 07/06/16 00:27, Carsten Strotmann wrote:  
> >>> Hi Shane,
> >>>
> >>> On Tue, 5 Jul 2016 16:23:25 +0200
> >>> Shane Kerr <shane at biigroup.cn> wrote:
> >>>  
> >>>> Carsten,
> >>>> It looks like the Microsoft DNS Yeti root server doesn't speak
> >>>> DNSSEC. :(  
> >>> this is very strange. I'm pretty sure it worked when I've initially
> >>> setup the server.
> >>>
> >>> I did some tests today, and the facts found are:
> >>>
> >>>  * the RRSIGs and other DNSSEC records exist in the zone and are
> >>>    visible in the GUI manager for the DNS server 
> >>>  * the server does not return DNSSEC records in queries nor in AXFR.
> >>>    AXFR is now enabled, you can try.
> >>>  * the RRSIGs and other DNSSEC records are returned on explicit queries
> >>>    like "dig @yeti-dns02.dnsworkshop.org . rrsig"
> >>>  * the same effect appears with non-root primary zones that have been
> >>>    signed on the server using the Microsoft build-in DNSSEC signer. So
> >>>    it's not limited to the (yeti-) root-zone
> >>>
> >>> It might be a regression introduced by a recent software update on the
> >>> server. 
> >>>
> >>> Do you have monitoring information if and when the DNSSEC information
> >>> stopped from yeti-dns02?
> >>>
> >>> I need to investigate this further in a test lab where I still have an
> >>> older version of the Windows 2016 DNS server (the same version that was
> >>> initially running on yeti-dns02).
> >>>
> >>> I will also check with Microsoft. I will also reach out to Microsoft
> >>> about the two DNS protocol issues that you've discussed with Paul.
> >>>
> >>> Thanks for reporting this.
> >>>
> >>>  
> >>>> Surely this is something that can be fixed by turning a knob? :)  
> >>> None that I'm aware of. MS DNS 2012 onwards serves DNSSEC for every zone
> >>> with DNSSEC records. The GUI even marks the signed primary zone as
> >>> DNSSEC signed, but still all DNSSEC records are not send on queries and
> >>> AXFR. 
> >>>
> >>> Restarting the service and rebooting the server did *not* change the
> >>> situation.
> >>>
> >>> Greetings
> >>>
> >>> Carsten
> >>> _______________________________________________
> >>> discuss mailing list
> >>> discuss at lists.yeti-dns.org
> >>> http://lists.yeti-dns.org/mailman/listinfo/discuss
> >>>  
> >> _______________________________________________
> >> discuss mailing list
> >> discuss at lists.yeti-dns.org
> >> http://lists.yeti-dns.org/mailman/listinfo/discuss  
> > 
> > _______________________________________________
> > discuss mailing list
> > discuss at lists.yeti-dns.org
> > http://lists.yeti-dns.org/mailman/listinfo/discuss  
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.yeti-dns.org/pipermail/discuss/attachments/20160725/f0ea90c5/attachment.bin>


More information about the discuss mailing list